Metasploit a one-stop hack shop

Slides:



Advertisements
Similar presentations
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Advertisements

WebGoat & WebScarab “What is computer security for $1000 Alex?”
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
Penetration Testing Training Day Capture the Flag Training.
MIS Week 2 Site:
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
MIS Week 1 Site:
Hands on with BackTrack Information gathering, scanning, simple exploits By Edison Carrick.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
CNIT 124: Advanced Ethical Hacking Docker (not in textbook) & Ch 8: Exploitation.
MIS Week 1 Site:
Module 1A An Introduction to Metasploit – Based upon Chapter 2 of “Metasploit the Penetration testers guide” Based upon Chapter 2 of “Metasploit the Penetration.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.
CIS 4930 / CIS 5930 Offensive Computer Security Spring 2014 I only edited it again.
Jen Beveridge and Joe Kolenda. Developed by Gordon Lyon Features –Host discovery –Port scanning –Version detecting –OS detection –Scriptable interaction.
Troubleshooting Directories and Files Debugging
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Penetration Testing Exploiting 2: Compromising Target by Metasploit tool CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
Virtual Machine and VirtualBox
Jen Beveridge and Joe Kolenda
Metasploit Framework (MSF) Fundamentals
Penetration Testing: Concepts,Attacks and Defence Stratagies
Bypassing Antivirus API
Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
PART 1 – FILE UPLOAD BACKDOORS: METASPLOIT
MySQL Exploit with Metasploit
Penetration Testing Karen Miller.
Network Exploitation Tool
Exploiting Metasploitable 2 with Metasploit in Kali-Linux 2016
Module 22 (Metasploit Introduction)
Laura Jaideny Pérez Gómez - A
Common Operating System Exploits
CIT 480: Securing Computer Systems
Chapter 6: Network Layer
Metasploit Project For this exploit I will be using the following strategy Create backdoor exe file Upload file to website Have victim computer download.
Metasploit assignment
Exploiting Metasploitable
Unit 27: Network Operating Systems
Intro to Ethical Hacking
RECONNAISSANCE & ENUMERATION
Chapter 3. Basic Dynamic Analysis
Intro to Ethical Hacking
Week 5.
Metasploit Assignment
Web Application Penetration Testing ‘17
Metasploit Analysis Report Overview
Traffic Analysis– Wireshark Simple Example
Virtual Machine and VirtualBox
Cyber Operation and Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack Cliff Zou University of Central Florida.
Virtual Machine and VirtualBox
Virtual Machine and VirtualBox
Designing IIS Security (IIS – Internet Information Service)
Penetration Testing & Network Defense
Penetration Testing Dr. X.
SHELLSHOCK ATTACK.
Presentation transcript:

Metasploit a one-stop hack shop Ziga Cerkovnik CSE 7344 SMU, 2017

What is metasploit? Open-source penetration testing framework Developing and using security tools Wide range of modules Exploit Auxiliary Post-exploitation Payload Encoder NOP

payloads Inline Staged Meterpeter PassiveX NoNX Ord IPv6 Reflective DLL Types Stagers Singles Modules

Metasploit tools Meterpreter MSFvenom Payload within Metasploit Exploits and controls victims Loads/runs DLLs on victims Metasploit component Generate standalone payloads Supports multiple formats ruby exe shell php Encode payloads

Live demo

Components and requirements Attacker (Kali Linux) Metasploit Nmap Netcat Victim (Metasploitable  OWASP project, purposely vulnerable) Default configuration Private (virtual) network connection

Exploit: CVE-2007-2447 Report date: 5/2/2007 Samba: software providing file and print services between UNIX/Win Affected: Samba 3.0.XXX What went wrong: ‘SamrChangePassword()’ remote shell Bypass authorization Allows access to other services on the server TLDR; bypass authorization  root access If (‘smb.conf’=enabled)

Environment setup Internet (via host PC) C1 (VPN) Attacker [192.168.56.102]: Linux Kali 4.6.4 Network adapters: NAT (inactive) C1 (Host-only, private) Victim [192.168.56.101] Metasploitable 2.6.24.16-server Network adapters: C1 (Host-only, private)

sCENARIO Reconnaissance (see if our target is vulnerable) Nmap to scan Victim machine (service scan + OS detection) Weaponization Select our exploit  CVE-2007-2447 Prepare our payload (Metasploit reverse shell  ‘cmd/unix/reverse’) Exploitation and Delivery Connect to Victim’s Samba port (:139) through Attacker’s SSL (:443) port Leverage CVE-2007-2447 Deliver the payload provided by MS to open a shell C2 Check available services to determine the next step Python|perl|php|netcat reverse shell script deployment Objective Extract something cool Open a reverse shell and gain root access

Reconnaissance : nmap Create a new workspace within Metasploit framework Target list is currently empty Use Nmap on Victim IP; OS + Services Scan

Nmap output This seems to be interesting, sincewe will be exploiting Samba. Nmap output Smart 

2. weaponization: select exploit We are familiar with CVE-2007-2447, so we perform a keyword search Exploit description and location There are multiple ‘Samba’ exploits available. For this scope we want to exploit the ‘usermap’ Vulnerability.

2. weaponization: select payload Based on the exploit module we choose, compatible payloads are recommended We will be using this payload (generic reverse shell)

2. Weaponization: set module variables Metasploit recognizes the Victim IP from the nmap scan, and populates RHOST (Victim) and RPORT (entry point) fields Configured in the next 2 steps: LHOST = Attacker machine LPORT; the reason we change it to 443 is to avoid possible firewall detection by accessing the ‘SSL’ port Exploit’s target

3. Exploitation and delivery All we have to do. The exploit runs, our payload is delivered, and we now have access to a shell! WOAH! ROOT ACCESS ON VICTIM MACHINE!!!!!!!

4. C2: extract ‘/etc/shadow’ Create new folder ‘/send’ Output from ‘/etc/shadow’  ‘/send/pwned.txt’ Check what is in ‘pwned.txt’

4. C2: transfer ‘pwned.txt’ 3. Attacker machine (‘/root/Desktop’) The file magically appears on Attacker machine! 1. Victim machine shell : Zip folder contents Use netcat to open port 1337 2. Attacker machine terminal: Connect to port 1337, which we just opened Aim the .tar file directly into tar, unzipping them in the current dir. (‘/root/Desktop’)

4. C2: verify ‘pwned.txt’ Victim machine shell File on Attacker machine ‘/root/Desktop/pwned.txt’

4. C2: service lookup We already have root access through our reverse shell payload, however; if we do not obtain root privileges off the bat we may want to execute a short script on Victim machine to escalate privileges. That is what we are attempting next. Victim machine shell: Attempt to find a service we could use to run a command to initiate a reverse shell with root privileges Tried our ‘luck’  with php5  it appears to be present

4. C2: service lookup 2. 1. 3. Victim machine shell: Execute a ‘compact’ reverse shell script written in php Connects to Attacker machine on port 666 Manipulate TCP file descriptors, enable root access via shell 2. 1. Attacker machine terminal: Command not shown (1): ‘nc –lvp 666’  listen on this port After the php script is run on Victim machine shell, Attacker has full control 3.

Extract something cool (-ish) Reverse shell with root privileges 5. Goals? Extract something cool (-ish) Reverse shell with root privileges

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.