Metasploit: You can look like Hugh Jackman too!
BSides London 2014
BSides London 2014
Subjects
• What is the Metasploit Framework (MSF)?
• How can I use MSF to my advantage?
• Why would I want to use MSF?
• Last but not least: How DO I actually use MSF?
Terminology
• MSF
• Vulnerabilities
• Exploits
• Payloads
Metasploit trough the ages
• Started out as a ncruses based network game written in Perl
• 2003: MSF 1.0 released (11 exploits)
• Somewhere along the way.. v3.0 written in Ruby
• 2014: MSF 4.9 (1292 exploits)
Inside the box• +1200 exploits
• 700 auxiliary modules
• +200 post modules
• +300 payloads
• +30 encoders
• 8 nops
Sounds AMAZING Mike! How do I get it?
• rapid7.com
• github.com/rapid7
• kali.org
And now for something completely different…
Running the Metasploit Framework
From Kali Linux
binary.hybrid3.iso• md5: 058226e666c98e9e094318247ddb5e2c
• sha1: 40ebcbe6487d567f55747a219b426b4e62b4995c
• 32-bits
• Kali 1.0.6
• Metasploit 4.9.2-2014042301
• root/toor
metasploitable-linux-2.0.0.zip
• md5: 058226e666c98e9e094318247ddb5e2c
• sha1: 8825f2509a9b9a58ec66bd65ef83167f
• msfadmin/msfadmin
Virtualbox Configuration
Interacting with MSF• # msfcli
• # msfconsole
!
• out-of-scope: msfweb/msfgui
• out-of-scope: Armitage
• out-of-scope: Cobalt Strike
Starting MSF from Kali
msfconsole 101
• msf > version
• msf > banner
• msf > db_status
• msf > help (!!)
msfconsole basics• msf > search -h
• msf > info searchresult
• msf > use searchresult
• msf auxiliary(searchresult) > show actions
• msf exploit(searchresult) > show options
• msf auxiliary(totallynotwhereIwanttobe) > back
<3
And now.. for something completely different!
• Open Source Security Testing Methodology Manual (OSSTM)
• Information Systems Security Assessment Framework (ISSAF)
• Penetration Testing Execution Standard (PTES)
• Open Web Application Security Project (OWASP top 10)
• SANS (20 Critical Controls)
Penetration Testing stages• Information gathering
• Identifying threats
• Identifying vulnerabilities
• Exploiting vulnerabilities
• Post exploitation
Let’s get to it..
msfconsole 102
• msf > info exploit/multi/handler
• msf > use exploit/multi/handler
• msf exploit(handler) > info
• msf exploit(handler) > show options
• msf exploit(handler) > set variable
msfconsole 10..3?
• variables are set with set
• variables can be removed with unset
• global variables can be set with setg
• variabelen can be saved to ~/.msf4/config with save
MSF Jobs & Sessions
• Exploits = jobs
• Payloads = sessions
• msf > help sessions
MSF Jobs & Sessions
• use back to navigate back to the framework
• use background to suspend a meterpreter session
• msf > jobs -l (list all currently active jobs)
• msf > jobs -i x (interact with job nr. x)
Attack Vectors
• Server-side
• Client-side
Server-side
• msf > db_nmap target-ip
• msf > hosts
• msf > services
metasploitable2• msf > info exploit/multi/samba/usermap_script
• msf > use exploit/multi/samba/usermap_script
• exploit (usermap_script) > show options
• exploit (usermap_script) > set RHOST 172.x.x.x
• exploit (usermap_script) > set RPORT 445
• exploit (usermap_script) > check (niet alle exploits ondersteunen deze functie)
• exploit (usermap_script) > exploit
Metasploitable2
Ok, great! What now?
• msf > search post/linux
msfpayload
msfpayload
Why?
notepad++ + meterpreter
notepad++ + meterpreter + 99 iterations
notepad++ + meterpreter + 999 iterations
VB… what?!
pwnage
Notepad++ + meterpreter + VBS
Recap
• What is the Metasploit Framework (MSF)?
• How can I use MSF to my advantage?
• Why would I want to use MSF?
Victory Dance
Questions?
Ok, not bad.. How can I continue?!• http://blog.ctf365.com/metasploitable-in-the-cloud/
• http://r-7.co/Metasploitable2
• http://vulnhub.com
• Be aware of browser exploits!
• Be aware of QR codes!!
• Be aware of ALL THE THINGS!!!
Thank you all and until next year!
