Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metasploit a one-stop hack shop

Similar presentations


Presentation on theme: "Metasploit a one-stop hack shop"— Presentation transcript:

1 Metasploit a one-stop hack shop
Ziga Cerkovnik CSE 7344 SMU, 2017

2 What is metasploit? Open-source penetration testing framework
Developing and using security tools Wide range of modules Exploit Auxiliary Post-exploitation Payload Encoder NOP

3 payloads Inline Staged Meterpeter PassiveX NoNX Ord IPv6
Reflective DLL Types Stagers Singles Modules

4 Metasploit tools Meterpreter MSFvenom Payload within Metasploit
Exploits and controls victims Loads/runs DLLs on victims Metasploit component Generate standalone payloads Supports multiple formats ruby exe shell php Encode payloads

5 Live demo

6 Components and requirements
Attacker (Kali Linux) Metasploit Nmap Netcat Victim (Metasploitable  OWASP project, purposely vulnerable) Default configuration Private (virtual) network connection

7 Exploit: CVE-2007-2447 Report date: 5/2/2007
Samba: software providing file and print services between UNIX/Win Affected: Samba 3.0.XXX What went wrong: ‘SamrChangePassword()’ remote shell Bypass authorization Allows access to other services on the server TLDR; bypass authorization  root access If (‘smb.conf’=enabled)

8 Environment setup Internet (via host PC) C1 (VPN)
Attacker [ ]: Linux Kali 4.6.4 Network adapters: NAT (inactive) C1 (Host-only, private) Victim [ ] Metasploitable server Network adapters: C1 (Host-only, private)

9 sCENARIO Reconnaissance (see if our target is vulnerable)
Nmap to scan Victim machine (service scan + OS detection) Weaponization Select our exploit  CVE Prepare our payload (Metasploit reverse shell  ‘cmd/unix/reverse’) Exploitation and Delivery Connect to Victim’s Samba port (:139) through Attacker’s SSL (:443) port Leverage CVE Deliver the payload provided by MS to open a shell C2 Check available services to determine the next step Python|perl|php|netcat reverse shell script deployment Objective Extract something cool Open a reverse shell and gain root access

10 Reconnaissance : nmap Create a new workspace within Metasploit framework Target list is currently empty Use Nmap on Victim IP; OS + Services Scan

11 Nmap output This seems to be interesting, sincewe
will be exploiting Samba. Nmap output Smart 

12 2. weaponization: select exploit
We are familiar with CVE , so we perform a keyword search Exploit description and location There are multiple ‘Samba’ exploits available. For this scope we want to exploit the ‘usermap’ Vulnerability.

13 2. weaponization: select payload
Based on the exploit module we choose, compatible payloads are recommended We will be using this payload (generic reverse shell)

14 2. Weaponization: set module variables
Metasploit recognizes the Victim IP from the nmap scan, and populates RHOST (Victim) and RPORT (entry point) fields Configured in the next 2 steps: LHOST = Attacker machine LPORT; the reason we change it to 443 is to avoid possible firewall detection by accessing the ‘SSL’ port Exploit’s target

15 3. Exploitation and delivery
All we have to do. The exploit runs, our payload is delivered, and we now have access to a shell! WOAH! ROOT ACCESS ON VICTIM MACHINE!!!!!!!

16 4. C2: extract ‘/etc/shadow’
Create new folder ‘/send’ Output from ‘/etc/shadow’  ‘/send/pwned.txt’ Check what is in ‘pwned.txt’

17 4. C2: transfer ‘pwned.txt’
3. Attacker machine (‘/root/Desktop’) The file magically appears on Attacker machine! 1. Victim machine shell : Zip folder contents Use netcat to open port 1337 2. Attacker machine terminal: Connect to port 1337, which we just opened Aim the .tar file directly into tar, unzipping them in the current dir. (‘/root/Desktop’)

18 4. C2: verify ‘pwned.txt’ Victim machine shell
File on Attacker machine ‘/root/Desktop/pwned.txt’

19 4. C2: service lookup We already have root access through our reverse shell payload, however; if we do not obtain root privileges off the bat we may want to execute a short script on Victim machine to escalate privileges. That is what we are attempting next. Victim machine shell: Attempt to find a service we could use to run a command to initiate a reverse shell with root privileges Tried our ‘luck’  with php5  it appears to be present

20 4. C2: service lookup 2. 1. 3. Victim machine shell:
Execute a ‘compact’ reverse shell script written in php Connects to Attacker machine on port 666 Manipulate TCP file descriptors, enable root access via shell 2. 1. Attacker machine terminal: Command not shown (1): ‘nc –lvp 666’  listen on this port After the php script is run on Victim machine shell, Attacker has full control 3.

21 Extract something cool (-ish) Reverse shell with root privileges
5. Goals? Extract something cool (-ish) Reverse shell with root privileges


Download ppt "Metasploit a one-stop hack shop"

Similar presentations


Ads by Google