ClubHack, profile picture
Uploaded byClubHack
1,621 views

Metasploitation part-1 (murtuja)

This document provides an overview of metasploitation and using the Metasploit framework. It discusses basics like vulnerabilities, exploits, payloads and encoders. It then covers using the msfconsole interface, exploit modules, auxiliary modules like scanners, databases integration, automation, client-side exploits, payload generation, backdooring files, Linux backdoors, Meterpreter, pivoting, and post-exploitation techniques. The document includes several screenshots and links resources for further information.

Embed presentation

Downloaded 200 times
Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
Agenda Courtesy http://asonchua.com
Agenda • Basics • Metasploit Auxiliary • Database Integration & Exploit Automation • Client Side Exploit & Extended Usage • Post Exploitation Fun • Metasploit Add-ons
Basics • What is vulnerability? • What is Exploit? • What is Payload? • What is encoder?
Vulnerability Courtesy http://harryjerry.com
Exploit Courtesy http://entertainment.in.msn.com
Payload • Use your imagination
Encoder • Still Thinking? Ask me offline
Basics • Vulnerability – Opportunity Window • Exploit – En-cashing Opportunity • Payload – En-cashment Window • Encoder – Masking
How it works? • Input malicious code Instead of Data • Malicious code = Exploit Code + Payload
Payload + Exploit Sanitized You should be at ClubHACK Courtesy http://guardian.co.uk Courtesy http://ivillage.com
Exploit Code 1 2 3 4 Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
Metasploit Framework • Open Source • Developed in Ruby • Easy to Use • 600+ Exploits • 200+ payloads • 25+ encoders • 300+ auxiliary
Metasploit Auxiliary Courtesy http://www.flickr.com
Metasploit Architecture Courtesy http://www.offensive-security.com
Directory Structure
Filesystem And Libraries • lib: the 'meat' of the framework code base • data: editable files used by Metasploit • tools: various useful command-line utilities • modules: the actual MSF modules • plugins: plugins that can be loaded at run-time • scripts: Meterpreter and other scripts • external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
msfconsole
msfconsole • It is the only supported way to access most of the features within Metasploit. • Provides a console-based interface to the framework • Contains the most features and is the most stable MSF interface • Full readline support, tabbing, and command completion • Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
Exploit Modules Confused how to explain technically? Courtesy http://www.sunpacmortgage.com
Metasploit – Exploit & Payloads • Exploit – Active – Passive • Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
Exploit DEMO
Metasploit Auxiliary • Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc. • 300+ Auxiliary modules
We will cover • SCANNER • MSSQL • SNMP • FTP
Auxiliarry DEMO
Database Integration and Exploit Automation
Data Courtesy http://www.joy2day.com
Need of Database Sanitized You should be at ClubHACK
Need of Database • Network Penetration Testing • Easy management/storage of result • Report Generation
Database Integration& Exploit Automation • Database Support • Nmap • Nessus Bridge
Supported Database • Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“ • Postgres • Sqlite3 – file based database, might be pull-off in future
Nmap • db_nmap command to scan host/network • Result will be stored in database • Can view the result using db_hosts and db_services command
NMAP Demo
Nessus Bridge • Can perform vulnerability scan inside msfconsole • Supported using nessus bridge plugin • Use xmlrpc to connect with nessusd
Nessus Bridge Demo
In a Finger tip • db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
db_autopwn Demo
Client Side Exploit & Extended Usage
Client Side Exploit
Client Side Exploit & Extended Usage • Browser autopwn • Exploiting PDF • Payload Generation & Back-dooring EXE • Linux Backdoor
Browser autopwn • Automate browser based vulnerability exploitation • Perform browser finger printing • Auxiliary module server/browser_autopwnle
Browser autopwn Demo
Exploiting PDF • Most exploited software since last 2 years • Universally used software for document format • Favorite carrier for commercial malware toolkit
What all PDF do? • JavaScript runs under the context of App Object Model • File Attachment • XML, SOAP capabilities • Forms • Web Services • Database connections(ADBC)
What’s cracking up? • Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324) • File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188) • Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild • Embedded Files – libTiff (CVE-2010-0188)
PDF exploitation Demo
Payload Generation and Backdooring EXE • Payload can be converted to various file format i.e. exe, dll, javascript etc. • Encode payload to evade antivirus • Can be embed with third party software/utility
msfpayload & msfencode
Linux Backdoor • Back-dooring payload with linux package • Embed payload with deb installation package
Linux Backdooring Demo
Metasploit Add-ons
Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
Fast-Track • Easy Automation • Utilize Metaspolit Framework on Backend • Modes – Interactive – Web interface
Fast-Track Demo
SET(Social Engineering Toolkit) • Weakest link in the information security chain is the natural human willingness to accept someone at their word. • SET focuses on attacking the human element • Develop in python • Very easy to use • Utilize Metaspolit Framework on Backend
SET(Social Engineering Toolkit) • Operational Mode – Interactive – Web Interface • Configuration file - config/set_config
SET Demo
Post Exploitation Fun
Post Exploitation Fun
What next after getting a Shell? • One can run the command supported by command prompt/shell. • So what extra bit control needed to en-cash the opportunity?
Meterpreter • Meta Interpreter • Post exploitation payload(tool) • Uses in-memory DLL injection stagers • Can be extended over the run time • Encrypted communication
What can be done? • Command execution • File Upload/Download • Process migration • Log Deletion • Privilege escalation • Registry modification • Deleting logs and killing antivirus • Backdoors and Rootkits • Pivoting • …..etc.
Demo Meterpreter
Channels • Communication using TLV (Type-Length-Value) • Tagging of data with channel number • Multiple program can be run at victim machine using different channel
Pivoting 2 1 LAN INTERNET Local Lan Firewall/IPS 4 3 Web Database Server DMZ Server
Demo Pivoting
Courtesy • http://www.metasploit.com/ • http://www.backtrack-linux.org • http://www.offensive-security.com/metasploit- unleashed/ • http://www.secmaniac.com/ • http://securitytube.net/ • http://vimeo.com/ • http://www.irongeek.com/ • http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html • http://www.google.co.in
Thank You Murtuja Bharmal void@null.co.in Courtesy http://blingboo.com

More Related Content

PPTX
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
byJeremy Brown
 
PPTX
Hacking Virtual Appliances
byJeremy Brown
 
PPTX
A Bug Hunter's Perspective on Unix Drivers
byJeremy Brown
 
PDF
EASE spectre meltdown_support
byJoe Slowik
 
PPTX
Owning windows 8 with human interface devices
byNikhil Mittal
 
PDF
Introduction to Browser Fuzzing
byn|u - The Open Security Community
 
PPTX
More fun using Kautilya
byNikhil Mittal
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
byJeremy Brown
 
Hacking Virtual Appliances
byJeremy Brown
 
A Bug Hunter's Perspective on Unix Drivers
byJeremy Brown
 
EASE spectre meltdown_support
byJoe Slowik
 
Owning windows 8 with human interface devices
byNikhil Mittal
 
Introduction to Browser Fuzzing
byn|u - The Open Security Community
 
More fun using Kautilya
byNikhil Mittal
 
ZeroNights2012_BeEF_Workshop_antisnatchor
byMichele Orru
 

What's hot

PPTX
Kautilya: Teensy beyond shell
byNikhil Mittal
 
PDF
Distributed Fuzzing Framework Design
bybannedit
 
PPTX
Creating Havoc using Human Interface Device
byPositive Hack Days
 
PDF
ColdFusion for Penetration Testers
byChris Gates
 
PPTX
Sticky Keys to the Kingdom
byDennis Maldonado
 
PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
PDF
Ultimate pen test compromising a highly secure environment (nikhil)
byClubHack
 
PPTX
Teensy Programming for Everyone
byNikhil Mittal
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
PPTX
Outlook and Exchange for the bad guys
byNick Landers
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
PDF
Lares from LOW to PWNED
byChris Gates
 
PPTX
Hacking the future with USB HID
byNikhil Mittal
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PDF
1000 to 0
bySunny Neo
 
PDF
Continuous intrusion: Why CI tools are an attacker’s best friends
byNikhil Mittal
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
PDF
Visiting the Bear Den
byESET
 
Kautilya: Teensy beyond shell
byNikhil Mittal
 
Distributed Fuzzing Framework Design
bybannedit
 
Creating Havoc using Human Interface Device
byPositive Hack Days
 
ColdFusion for Penetration Testers
byChris Gates
 
Sticky Keys to the Kingdom
byDennis Maldonado
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
Ultimate pen test compromising a highly secure environment (nikhil)
byClubHack
 
Teensy Programming for Everyone
byNikhil Mittal
 
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
Outlook and Exchange for the bad guys
byNick Landers
 
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
Lares from LOW to PWNED
byChris Gates
 
Hacking the future with USB HID
byNikhil Mittal
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
1000 to 0
bySunny Neo
 
Continuous intrusion: Why CI tools are an attacker’s best friends
byNikhil Mittal
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
byAditya K Sood
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
Visiting the Bear Den
byESET
 

Viewers also liked

PDF
ClubHack Magazine issue 26 March 2012
byClubHack
 
PDF
XSS Shell by Vandan Joshi
byClubHack
 
PPT
Cyber Insurance
byClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
byClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
PDF
India legal 31 october 2014
byClubHack
 
ClubHack Magazine issue 26 March 2012
byClubHack
 
XSS Shell by Vandan Joshi
byClubHack
 
Cyber Insurance
byClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
Summarising Snowden and Snowden as internal threat
byClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
India legal 31 october 2014
byClubHack
 

Similar to Metasploitation part-1 (murtuja)

PDF
24 33 -_metasploit
bywozgeass
 
PPTX
Metasploit (Module-1) - Getting Started With Metasploit
byAnurag Srivastava
 
PPTX
Finalppt metasploit
bydevilback
 
PPTX
Metasploit
byParth Sahu
 
PDF
Metasploit Computer security testing tool
bymedoelkang600
 
PPTX
Metasploit
byInstitute of Information Security (IIS)
 
PPTX
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
PDF
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
PDF
Open Source Cyber Weaponry
byJoshua L. Davis
 
PPTX
Pentesting with linux
byHammad Ahmed Khawaja
 
PPTX
Metasploit
byLalith Sai
 
PPTX
Metasploit
bypenetration Tester
 
PPTX
metaploit framework
byLe Quyen
 
PDF
The Metasploit Framework Companion Guide
byfynboytinny
 
PDF
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PDF
01 Metasploit kung fu introduction
byMostafa Abdel-sallam
 
PPTX
BSides Algiers - Metasploit framework - Oussama Elhamer
byShellmates
 
PPTX
Metasploit framwork
byDeepanshu Gajbhiye
 
24 33 -_metasploit
bywozgeass
 
Metasploit (Module-1) - Getting Started With Metasploit
byAnurag Srivastava
 
Finalppt metasploit
bydevilback
 
Metasploit
byParth Sahu
 
Metasploit Computer security testing tool
bymedoelkang600
 
Metasploit
byInstitute of Information Security (IIS)
 
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
Open Source Cyber Weaponry
byJoshua L. Davis
 
Pentesting with linux
byHammad Ahmed Khawaja
 
Metasploit
byLalith Sai
 
Metasploit
bypenetration Tester
 
metaploit framework
byLe Quyen
 
The Metasploit Framework Companion Guide
byfynboytinny
 
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
01 Metasploit kung fu introduction
byMostafa Abdel-sallam
 
BSides Algiers - Metasploit framework - Oussama Elhamer
byShellmates
 
Metasploit framwork
byDeepanshu Gajbhiye
 

More from ClubHack

PPTX
Smart Grid Security by Falgun Rathod
byClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
PDF
Clubhack Magazine Issue February 2012
byClubHack
 
PDF
ClubHack Magazine issue April 2012
byClubHack
 
PDF
ClubHack Magazine Issue May 2012
byClubHack
 
PDF
ClubHack Magazine – December 2011
byClubHack
 
PDF
One link Facebook (Anand Pandey)
byClubHack
 
PDF
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
byClubHack
 
PDF
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
PDF
Mere Paas Teensy Hai (Nikhil Mittal)
byClubHack
 
PDF
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
byClubHack
 
PDF
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
byClubHack
 
PDF
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
PDF
Android forensics (Manish Chasta)
byClubHack
 
PDF
Android Tamer (Anant Shrivastava)
byClubHack
 
Smart Grid Security by Falgun Rathod
byClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
Clubhack Magazine Issue February 2012
byClubHack
 
ClubHack Magazine issue April 2012
byClubHack
 
ClubHack Magazine Issue May 2012
byClubHack
 
ClubHack Magazine – December 2011
byClubHack
 
One link Facebook (Anand Pandey)
byClubHack
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
byClubHack
 
Pentesting Mobile Applications (Prashant Verma)
byClubHack
 
Mere Paas Teensy Hai (Nikhil Mittal)
byClubHack
 
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
byClubHack
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
byClubHack
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
Android forensics (Manish Chasta)
byClubHack
 
Android Tamer (Anant Shrivastava)
byClubHack
 

Recently uploaded

PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 

Metasploitation part-1 (murtuja)

  • 1.
    Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
  • 2.
    Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
  • 3.
    About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
  • 4.
    Agenda Courtesy http://asonchua.com
  • 5.
    Agenda • Basics • Metasploit Auxiliary • Database Integration & Exploit Automation • Client Side Exploit & Extended Usage • Post Exploitation Fun • Metasploit Add-ons
  • 6.
    Basics • What is vulnerability? • What is Exploit? • What is Payload? • What is encoder?
  • 7.
    Vulnerability Courtesy http://harryjerry.com
  • 8.
    Exploit Courtesy http://entertainment.in.msn.com
  • 9.
  • 10.
  • 11.
    Basics • Vulnerability – Opportunity Window • Exploit – En-cashing Opportunity • Payload – En-cashment Window • Encoder – Masking
  • 12.
    How it works? •Input malicious code Instead of Data • Malicious code = Exploit Code + Payload
  • 13.
    Payload + Exploit Sanitized You should be at ClubHACK Courtesy http://guardian.co.uk Courtesy http://ivillage.com
  • 14.
    Exploit Code 1 2 3 4 Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
  • 15.
    Metasploit Framework • Open Source • Developed in Ruby • Easy to Use • 600+ Exploits • 200+ payloads • 25+ encoders • 300+ auxiliary
  • 16.
    Metasploit Auxiliary Courtesy http://www.flickr.com
  • 17.
    Metasploit Architecture Courtesy http://www.offensive-security.com
  • 18.
  • 19.
    Filesystem And Libraries • lib: the 'meat' of the framework code base • data: editable files used by Metasploit • tools: various useful command-line utilities • modules: the actual MSF modules • plugins: plugins that can be loaded at run-time • scripts: Meterpreter and other scripts • external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
  • 20.
  • 21.
    msfconsole • It isthe only supported way to access most of the features within Metasploit. • Provides a console-based interface to the framework • Contains the most features and is the most stable MSF interface • Full readline support, tabbing, and command completion • Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
  • 23.
    Exploit Modules Confused howto explain technically? Courtesy http://www.sunpacmortgage.com
  • 24.
    Metasploit – Exploit& Payloads • Exploit – Active – Passive • Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
  • 25.
  • 26.
    Metasploit Auxiliary • Helpermodules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc. • 300+ Auxiliary modules
  • 27.
    We will cover • SCANNER • MSSQL • SNMP • FTP
  • 28.
  • 29.
    Database Integration andExploit Automation
  • 30.
    Data Courtesy http://www.joy2day.com
  • 31.
    Need of Database Sanitized Youshould be at ClubHACK
  • 32.
    Need of Database •Network Penetration Testing • Easy management/storage of result • Report Generation
  • 33.
    Database Integration& Exploit Automation • Database Support • Nmap • Nessus Bridge
  • 34.
    Supported Database • Mysql- BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“ • Postgres • Sqlite3 – file based database, might be pull-off in future
  • 36.
    Nmap • db_nmap commandto scan host/network • Result will be stored in database • Can view the result using db_hosts and db_services command
  • 37.
  • 38.
    Nessus Bridge • Canperform vulnerability scan inside msfconsole • Supported using nessus bridge plugin • Use xmlrpc to connect with nessusd
  • 41.
  • 42.
    In a Fingertip • db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
  • 44.
  • 45.
    Client Side Exploit& Extended Usage
  • 46.
  • 47.
    Client Side Exploit& Extended Usage • Browser autopwn • Exploiting PDF • Payload Generation & Back-dooring EXE • Linux Backdoor
  • 48.
    Browser autopwn • Automatebrowser based vulnerability exploitation • Perform browser finger printing • Auxiliary module server/browser_autopwnle
  • 49.
  • 50.
    Exploiting PDF • Mostexploited software since last 2 years • Universally used software for document format • Favorite carrier for commercial malware toolkit
  • 51.
    What all PDFdo? • JavaScript runs under the context of App Object Model • File Attachment • XML, SOAP capabilities • Forms • Web Services • Database connections(ADBC)
  • 52.
    What’s cracking up? •Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324) • File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188) • Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild • Embedded Files – libTiff (CVE-2010-0188)
  • 53.
  • 54.
    Payload Generation andBackdooring EXE • Payload can be converted to various file format i.e. exe, dll, javascript etc. • Encode payload to evade antivirus • Can be embed with third party software/utility
  • 55.
  • 56.
    Linux Backdoor • Back-dooringpayload with linux package • Embed payload with deb installation package
  • 57.
  • 58.
  • 59.
    Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
  • 60.
    Fast-Track • Easy Automation •Utilize Metaspolit Framework on Backend • Modes – Interactive – Web interface
  • 61.
  • 62.
    SET(Social Engineering Toolkit) •Weakest link in the information security chain is the natural human willingness to accept someone at their word. • SET focuses on attacking the human element • Develop in python • Very easy to use • Utilize Metaspolit Framework on Backend
  • 63.
    SET(Social Engineering Toolkit) •Operational Mode – Interactive – Web Interface • Configuration file - config/set_config
  • 64.
  • 65.
  • 66.
  • 67.
    What next aftergetting a Shell? • One can run the command supported by command prompt/shell. • So what extra bit control needed to en-cash the opportunity?
  • 68.
    Meterpreter • Meta Interpreter • Post exploitation payload(tool) • Uses in-memory DLL injection stagers • Can be extended over the run time • Encrypted communication
  • 69.
    What can bedone? • Command execution • File Upload/Download • Process migration • Log Deletion • Privilege escalation • Registry modification • Deleting logs and killing antivirus • Backdoors and Rootkits • Pivoting • …..etc.
  • 70.
  • 71.
    Channels • Communication usingTLV (Type-Length-Value) • Tagging of data with channel number • Multiple program can be run at victim machine using different channel
  • 72.
    Pivoting 2 1 LAN INTERNET Local Lan Firewall/IPS 4 3 Web Database Server DMZ Server
  • 73.
  • 74.
    Courtesy • http://www.metasploit.com/ • http://www.backtrack-linux.org •http://www.offensive-security.com/metasploit- unleashed/ • http://www.secmaniac.com/ • http://securitytube.net/ • http://vimeo.com/ • http://www.irongeek.com/ • http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html • http://www.google.co.in
  • 75.
    Thank You Murtuja Bharmal [email protected] Courtesy http://blingboo.com