Introduction to Exploitation
- 2. We’ve completed our recon and learned as much about the organization and network as we could by visiting public sites We’ve verified targets and identified services used and potential vulnerabilities via ping sweeps, port scans, OS fingerprinting, and banner grabbing Now the real fun begins…
- 3. Exploits may have unintended consequences (e.g., crashing a service or a server) Mitigate such risks by: Obtaining your exploit tools from reliable sources. If the site provides a hash value, verify the integrity of your downloads Experiment with the tools in a lab environment which mimics the client’s production network as closely as possible Explain risks to client before executing exploits
- 4. Large number of nmap scripts ◦ Used to find exploitable vulnerabilities ◦ Written in the NASL scripting language To execute all nmap scripts: nmap –A IP-address
- 5. Nessus by Tenable ◦ Automatic vulnerability scanning tool ◦ Used to be free to all; now free (with limitations) for home use, otherwise commercial (license >=$1,500 per year) Open Vulnerability Assessment System (OpenVAS) ◦ Free ◦ Branched off from Nessus when the latter went commercial ◦ Fewer and different plug-ins than Nessus
- 6. Brute Force login attacks (password guessing) ◦ medusa ◦ THC Hydra Password cracking and rainbow tables will be discussed in chapter 10
- 7. Fuzzing: Providing a program with different data in the hopes of finding usable anomalies ◦ Often used in web attacks, but can be used anywhere there is user input ◦ Note: This is a very noisy type of attack JBroFuzz attempts to find directories located on a web server by fuzzing directory names ◦ Available via the Open Web Application Security Project (OWASP)
- 8. Tool beloved by security experts and black hats alike Community edition is free for students and small companies Framework which gives one access to hundreds of different exploits and payloads, with more being added daily ◦ Exploit: The code that lets you use a vulnerability to deliver a payload (think: bomber) ◦ Payload: The code that you are trying to get to run (think: bomb). Common payloads are a reverse shell and the meterpreter
- 9. Launch Metasploit ◦ Msfconsole Explore exploits (optional) and payloads ◦ show exploits ◦ show payloads ◦ search type:exploit search-string Specify exploit ◦ use path/exploitname ◦ use auxiliary/scanner/ftp/anonymous Specify payload ◦ set PAYLOAD path/payloadname
- 10. Explore exploit options (optional) ◦ show options Provide values for options ◦ set RHOSTS 70.0.0.3 ◦ set RPORT 21 ◦ set LHOST 192.168.0.4 ◦ set LHOST 3456 Execute the exploit ◦ Exploit
- 11. Background a meterpreter session ◦ CTRL^z Show list of sessions ◦ sessions –l (That is a lower case el, not the number 1) Interact with a session (e.g., session 2) ◦ sessions –i 2 Quit the program ◦ Exit
- 12. Metasploit is extremely powerful and versatile. The book shows a few sample exploits. As you have time, explore additional exploits and their options. We’ll be looking at payloads next chapter
- 13. www.exploit-db.com (Note that the book has a typo on page 236) Beware of downloaded code! ◦ Consider the source ◦ Examine it ◦ Check its hash if appropriate ◦ Run it in a test environment first
- 14. Remember the SANS Top 10? Service misconfiguration Overflow flaw Information leakage