metasploit for beginners
TRANSCRIPT
Metasploit for Beginners
Ramnath
Whoami
Ramnath Shenoy
• Engineering @ FireEye
• https://www.linkedin.com/in/ramnathshenoyk
• @Ramnathsk
Metasploit for Beginners
●Why Metasploit?●Demo Setup ●Auxiliary Module●Exploit Module●Payloads●Demo 1 - Elastic Search exploit●Demo 2 - Jenkins exploit
Why Metasploit?
● Published independently● Different programming languages● Targeted limited to a specific platform● No evasion techniques● No clear documentation ● No coding style and difficult to embed /modify
Metasploit FrameworkCurrent stable version is v4.13.X
• Written in ruby, https://github.com/rapid7/metasploit-framework.git,
• [ 1610 exploits, 914 auxiliary, 279 post ,471 payloads , 39 encoders , 9 nops ]
Ready in kali - used in this demo.
Available as windows installer. (Never really tried!..)
Metasploit Architecture
Libraries
Interfaces
Modulesnops payloads exploits Auxiliary Encoder Post
msfconsole
Rex
MSF::Core
MSF::Base
Tools
Plugins
Visualising an attack
Target Vulnerable software
PayloadExploitAuxiliary
Windows/ShellWindows/add user
Remote exploitLocal exploit
Scan and enumerateRogue Servers
Post
Enum credentialsExploit suggest
Exploit Payload Post
msfconsole
Demo Setup!Target Windows 2008 R2 – Metasploitable3
Designed vulnerable to test payload
Setup instructions https://github.com/rapid7/metasploitable3
172.28.128.4Metasploit/kali
Attacker
172.28.128.3
VictimWindows 2k8
Virtual Box
Msfconsole Navigation cheat sheet!Msfupdate - update
Msfconsole – initialize metasploit
>help - example: help search
>search – example: search name:pcman type:exploit
>show - example show info, show options and show advanced
>use - example use exploit/.., use aux/.., use payload/..
>set, unset, setg & unsetg - set payload/.. set exitfunc
>back,previous
Exploit ,POST and Payload specifics
>set RHOST : Victim IP
>set RPORT: Victim port
>set LHOST: Attacker IP
>set LPORT: Attacker Port on Reverse Connect or Victim Port on Bind
>set SESSION: The Session id of an earlier attack to attempt Local priv esc
Commands Prior Demo!• Start the PostgreSQL, initialize database for metasploit and then proceed with starting
msfconsole
• Setup a workspace within metasploit to store enumeration result
• Initialise a scan with nmap to store its results. Results in db will be accessible via “services”
Auxiliary Module - Demo
• Brute Force access tests on different protocols.• Enumerate and gather more information with limited access.• Check for misconfigured or default Web Portals.• Set up a rogue- ftp,http,smb,imap servers
Auxiliary Module - “use auxiliary/scanner/snmp/snmp_enum”
Exploit Module Searching remote exploits are typically -> exploit/Platform/protocol/Application_or_service
Searching local exploits are typically -> exploit/Platform/local/Application_or_service
Payload ModuleBind Shell TCP
• Successful exploitation leads to a new port on Victim with shell access.
Reverse Shell TCP
• Successful exploitation makes to client connect to Attack and provide its shell.
BindShell-Listener
Reverse Shell-Listener
Exploit
Exploit
Exploit Module -Demoexploit/multi/elasticsearch/script_mvel_rce
ElasticSearch ->1.1.1
Payload -> java/shell/reverse_tcp
Exploit Module 2In these cases we will need to use the attacker machine as a server, servicing
the delivery of the exploit. We will need 2 more options,
SRVHOST and SRVPORT
Meterpreter Payload ,provides an interactive environment with functionalities likes
• Getsystem, clearnenv, migrate, hashdump, post, up/download,edit
• Run portrecorder , load mimikatz..
Exploit Module -Demo 2• exploit/multi/http/jenkins_script_console
• windows/meterpreter/reverse_tcp
Thanks.