TI

TA
E N
S l
E sp
PR an
N
e t
O
O

ul
M it

h
Ra
o
Contents

Basics

it
ew o
Pentest

pl
or
Exploits

am s
Fr eta
Payloads
Framewor M

k
k
MSFVeno
m
MSFCons
oleMSFEn
code
 Penetrat
ion
The act of successfully
Testing
breaching security on a

remote computer system in

order to gain some form of

control access.
 ti Tr
ick  Authentication Attacks

t
yB  Password guessing using common
us strings or using default passwords

e in
es
 Ex: Wireless Routers have
default passwords  Majority

G g e
s don’t change this!!!
 Ex: Windows Administrator
Account are often blank

n cc
 Password Brute Force Attack
 These method has become
extremely fast with the of
Rainbow Tables!

A s
 Social Engineering Attacks
 To influence someone into divulging
confidential information using

s
techniques.
 Ex: Phishing Attacks
 SQL Injection Attacks
 To inject unexpected malformed
SQL into a query in order to
manipulate the database in
unintended ways.
 Ex: Inject an administrator
account for yourself
 Software Exploitation

Attacks can be used to

gain access to

Software Most
unauthorized systems,
Dangero
Exploitatio us
leverage user account

privileges, crash

n systems or provide

installation of malicious

software (such as

Exploit = Vulnerability + Payload

Spyware, Virus’s,

Trojans, Adware, etc.)

 t
b ili
ra

The word vulnerability, in

e
ln
y

computer security, refers to a

Vu

weakness in a system allowing

an attacker to violate the

confidentiality, integrity,

availability, access control, audit

mechanisms of the system or

the data and applications it hosts

  The payload is a sequence

of code that is executed

when the vulnerability is

triggered

Payloads  Different payload types exist

and they accomplish

different tasks :

 exec :- Execute a command

or program on the remote

system

 download_exec :-

Download a file from a URL

and execute

 upload_exec :- Upload a
 Metasploit
Framework
“The Metasploit Framework is a platform for writing,

testing, and using exploit code. The primary users of

the Framework are professionals performing

penetration testing, shellcode development, and

vulnerability research.”
Metaspl  A collaboration between the

open source community and

oit Rapid7, Metasploit software

helps security and IT

professionals identify

security issues, verify

vulnerability mitigations, and

manage expert-driven

security assessments.

 Smart exploitation, password

auditing ,web application

scanning, and social

engineering

 In Short, Metasploit is a

hacking framework written in

ruby. It is designed to help

make writing and executing

 o d Encoders are used to convert one shellcode to

nc another, and to remove unsanitary characters. They

can also convert from one encoding to another.

E rs Ex. English to regional language

Some of the Encoders available in MSF

 Best Payload is Meterpreter:

oa  Meterpreter is an advanced, dynamically

y l extensible payload that uses in-memory

DLL injection stagers and is extended over

Pa s
the network at runtime. It communicates
over the stager socket and provides a
comprehensive client-side Ruby API. It
d features command history, tab completion,
channels, and more.

Some of the Payloads available in MSF

 i t
lo
x p Metasploit contains quality assured Exploits, and the
database is updated regularly for educational and
testing purposes.
E We will be using gitstack remote code
execution exploit
s exploit/windows/http/gitstack_rce

Some of the Exploits available in MSF

Live Demo
r
fo
e
i m e n
T om io
s ct
a
 Architectur
e

192.168.43.21 192.168.43.10

Victim Attacker
In case the
demo fails

Win 10 with Vulnerable Application: GitStack

In case the
demo fails

Attacker PC: Parrot OS with MSF

In case the
demo fails

Exploiting GitStack with MSF

In case the
demo fails

Secret Data Unveiled

Conclusio  Metasploit is a great tool.

 Can give in depth

n knowledge to budding

researchers

 But could prove dangerous if

used unethically

 Rapid7.com/metasploit
THANK YOU
FOR YOUR
ATTENTION