SlideShare a Scribd company logo

Metasploitation part-1 (murtuja)

ClubHack, profile picture
ClubHack

This document provides an overview of metasploitation and using the Metasploit framework. It discusses basics like vulnerabilities, exploits, payloads and encoders. It then covers using the msfconsole interface, exploit modules, auxiliary modules like scanners, databases integration, automation, client-side exploits, payload generation, backdooring files, Linux backdoors, Meterpreter, pivoting, and post-exploitation techniques. The document includes several screenshots and links resources for further information.

Technology
1 of 75
Downloaded 200 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
Agenda Courtesy http://asonchua.com
Agenda • Basics • Metasploit Auxiliary • Database Integration & Exploit Automation • Client Side Exploit & Extended Usage • Post Exploitation Fun • Metasploit Add-ons
Basics • What is vulnerability? • What is Exploit? • What is Payload? • What is encoder?
Vulnerability Courtesy http://harryjerry.com
Exploit Courtesy http://entertainment.in.msn.com
Payload • Use your imagination
Encoder • Still Thinking? Ask me offline
Basics • Vulnerability – Opportunity Window • Exploit – En-cashing Opportunity • Payload – En-cashment Window • Encoder – Masking
How it works? • Input malicious code Instead of Data • Malicious code = Exploit Code + Payload
Payload + Exploit Sanitized You should be at ClubHACK Courtesy http://guardian.co.uk Courtesy http://ivillage.com
Exploit Code 1 2 3 4 Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
Metasploit Framework • Open Source • Developed in Ruby • Easy to Use • 600+ Exploits • 200+ payloads • 25+ encoders • 300+ auxiliary
Metasploit Auxiliary Courtesy http://www.flickr.com
Metasploit Architecture Courtesy http://www.offensive-security.com
Directory Structure
Filesystem And Libraries • lib: the 'meat' of the framework code base • data: editable files used by Metasploit • tools: various useful command-line utilities • modules: the actual MSF modules • plugins: plugins that can be loaded at run-time • scripts: Meterpreter and other scripts • external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
msfconsole
msfconsole • It is the only supported way to access most of the features within Metasploit. • Provides a console-based interface to the framework • Contains the most features and is the most stable MSF interface • Full readline support, tabbing, and command completion • Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
Metasploitation part-1 (murtuja)
Exploit Modules Confused how to explain technically? Courtesy http://www.sunpacmortgage.com
Metasploit – Exploit & Payloads • Exploit – Active – Passive • Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
Exploit DEMO
Metasploit Auxiliary • Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc. • 300+ Auxiliary modules
We will cover • SCANNER • MSSQL • SNMP • FTP
Auxiliarry DEMO
Database Integration and Exploit Automation
Data Courtesy http://www.joy2day.com
Need of Database Sanitized You should be at ClubHACK
Need of Database • Network Penetration Testing • Easy management/storage of result • Report Generation
Database Integration& Exploit Automation • Database Support • Nmap • Nessus Bridge
Supported Database • Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“ • Postgres • Sqlite3 – file based database, might be pull-off in future
Metasploitation part-1 (murtuja)
Nmap • db_nmap command to scan host/network • Result will be stored in database • Can view the result using db_hosts and db_services command
NMAP Demo
Nessus Bridge • Can perform vulnerability scan inside msfconsole • Supported using nessus bridge plugin • Use xmlrpc to connect with nessusd
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
Nessus Bridge Demo
In a Finger tip • db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
Metasploitation part-1 (murtuja)
db_autopwn Demo
Client Side Exploit & Extended Usage
Client Side Exploit
Client Side Exploit & Extended Usage • Browser autopwn • Exploiting PDF • Payload Generation & Back-dooring EXE • Linux Backdoor
Browser autopwn • Automate browser based vulnerability exploitation • Perform browser finger printing • Auxiliary module server/browser_autopwnle
Browser autopwn Demo
Exploiting PDF • Most exploited software since last 2 years • Universally used software for document format • Favorite carrier for commercial malware toolkit
What all PDF do? • JavaScript runs under the context of App Object Model • File Attachment • XML, SOAP capabilities • Forms • Web Services • Database connections(ADBC)
What’s cracking up? • Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324) • File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188) • Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild • Embedded Files – libTiff (CVE-2010-0188)
PDF exploitation Demo
Payload Generation and Backdooring EXE • Payload can be converted to various file format i.e. exe, dll, javascript etc. • Encode payload to evade antivirus • Can be embed with third party software/utility
msfpayload & msfencode
Linux Backdoor • Back-dooring payload with linux package • Embed payload with deb installation package
Linux Backdooring Demo
Metasploit Add-ons
Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
Fast-Track • Easy Automation • Utilize Metaspolit Framework on Backend • Modes – Interactive – Web interface
Fast-Track Demo
SET(Social Engineering Toolkit) • Weakest link in the information security chain is the natural human willingness to accept someone at their word. • SET focuses on attacking the human element • Develop in python • Very easy to use • Utilize Metaspolit Framework on Backend
SET(Social Engineering Toolkit) • Operational Mode – Interactive – Web Interface • Configuration file - config/set_config
SET Demo
Post Exploitation Fun
Post Exploitation Fun
What next after getting a Shell? • One can run the command supported by command prompt/shell. • So what extra bit control needed to en-cash the opportunity?
Meterpreter • Meta Interpreter • Post exploitation payload(tool) • Uses in-memory DLL injection stagers • Can be extended over the run time • Encrypted communication
What can be done? • Command execution • File Upload/Download • Process migration • Log Deletion • Privilege escalation • Registry modification • Deleting logs and killing antivirus • Backdoors and Rootkits • Pivoting • …..etc.
Demo Meterpreter
Channels • Communication using TLV (Type-Length-Value) • Tagging of data with channel number • Multiple program can be run at victim machine using different channel
Pivoting 2 1 LAN INTERNET Local Lan Firewall/IPS 4 3 Web Database Server DMZ Server
Demo Pivoting
Courtesy • http://www.metasploit.com/ • http://www.backtrack-linux.org • http://www.offensive-security.com/metasploit- unleashed/ • http://www.secmaniac.com/ • http://securitytube.net/ • http://vimeo.com/ • http://www.irongeek.com/ • http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html • http://www.google.co.in
Thank You Murtuja Bharmal void@null.co.in Courtesy http://blingboo.com

More Related Content

PPTX
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
PPTX
Hacking Virtual Appliances
Jeremy Brown
 
PPTX
A Bug Hunter's Perspective on Unix Drivers
Jeremy Brown
 
PDF
EASE spectre meltdown_support
Joe Slowik
 
PPTX
Owning windows 8 with human interface devices
Nikhil Mittal
 
PDF
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
PPTX
More fun using Kautilya
Nikhil Mittal
 
PDF
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Jeremy Brown
 
Hacking Virtual Appliances
Jeremy Brown
 
A Bug Hunter's Perspective on Unix Drivers
Jeremy Brown
 
EASE spectre meltdown_support
Joe Slowik
 
Owning windows 8 with human interface devices
Nikhil Mittal
 
Introduction to Browser Fuzzing
n|u - The Open Security Community
 
More fun using Kautilya
Nikhil Mittal
 
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 

What's hot (20)

PPTX
Kautilya: Teensy beyond shell
Nikhil Mittal
 
PDF
Distributed Fuzzing Framework Design
bannedit
 
PPTX
Creating Havoc using Human Interface Device
Positive Hack Days
 
PDF
ColdFusion for Penetration Testers
Chris Gates
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
PDF
Ultimate pen test compromising a highly secure environment (nikhil)
ClubHack
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PPTX
Hacking the future with USB HID
Nikhil Mittal
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
1000 to 0
Sunny Neo
 
PDF
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
PDF
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
PDF
Visiting the Bear Den
ESET
 
Kautilya: Teensy beyond shell
Nikhil Mittal
 
Distributed Fuzzing Framework Design
bannedit
 
Creating Havoc using Human Interface Device
Positive Hack Days
 
ColdFusion for Penetration Testers
Chris Gates
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
Ultimate pen test compromising a highly secure environment (nikhil)
ClubHack
 
Teensy Programming for Everyone
Nikhil Mittal
 
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Outlook and Exchange for the bad guys
Nick Landers
 
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Lares from LOW to PWNED
Chris Gates
 
Hacking the future with USB HID
Nikhil Mittal
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
1000 to 0
Sunny Neo
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
Aditya K Sood
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat Security Conference
 
Visiting the Bear Den
ESET
 
Ad

Viewers also liked (9)

PDF
ClubHack Magazine issue 26 March 2012
ClubHack
 
PDF
XSS Shell by Vandan Joshi
ClubHack
 
PPT
Cyber Insurance
ClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
ClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
PDF
India legal 31 october 2014
ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack
 
XSS Shell by Vandan Joshi
ClubHack
 
Cyber Insurance
ClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Summarising Snowden and Snowden as internal threat
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
India legal 31 october 2014
ClubHack
 
Ad

Similar to Metasploitation part-1 (murtuja) (20)

PDF
24 33 -_metasploit
wozgeass
 
PPTX
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
PPTX
Finalppt metasploit
devilback
 
PPTX
Metasploit
Parth Sahu
 
PDF
Metasploit Computer security testing tool
medoelkang600
 
PPTX
Metasploit
Institute of Information Security (IIS)
 
PPTX
Introduction To Exploitation & Metasploit
Raghav Bisht
 
PDF
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
PDF
Open Source Cyber Weaponry
Joshua L. Davis
 
PPTX
Pentesting with linux
Hammad Ahmed Khawaja
 
PPTX
Metasploit
Lalith Sai
 
PPTX
Metasploit
penetration Tester
 
PPTX
metaploit framework
Le Quyen
 
PDF
Metasploit Humla for Beginner
n|u - The Open Security Community
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
PDF
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
PPTX
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
PPTX
Metasploit framwork
Deepanshu Gajbhiye
 
PPTX
Introduction To Ethical Hacking
Raghav Bisht
 
24 33 -_metasploit
wozgeass
 
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
Finalppt metasploit
devilback
 
Metasploit
Parth Sahu
 
Metasploit Computer security testing tool
medoelkang600
 
Metasploit
Institute of Information Security (IIS)
 
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Open Source Cyber Weaponry
Joshua L. Davis
 
Pentesting with linux
Hammad Ahmed Khawaja
 
Metasploit
Lalith Sai
 
Metasploit
penetration Tester
 
metaploit framework
Le Quyen
 
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Metasploit framwork
Deepanshu Gajbhiye
 
Introduction To Ethical Hacking
Raghav Bisht
 

More from ClubHack (20)

PPTX
Smart Grid Security by Falgun Rathod
ClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
PDF
Clubhack Magazine Issue February 2012
ClubHack
 
PDF
ClubHack Magazine issue April 2012
ClubHack
 
PDF
ClubHack Magazine Issue May 2012
ClubHack
 
PDF
ClubHack Magazine – December 2011
ClubHack
 
PDF
One link Facebook (Anand Pandey)
ClubHack
 
PDF
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
ClubHack
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PDF
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
PDF
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
ClubHack
 
PDF
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
ClubHack
 
PDF
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
ClubHack
 
PDF
Android forensics (Manish Chasta)
ClubHack
 
PDF
Android Tamer (Anant Shrivastava)
ClubHack
 
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
 
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine issue April 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack
 
One link Facebook (Anand Pandey)
ClubHack
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
ClubHack
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Mere Paas Teensy Hai (Nikhil Mittal)
ClubHack
 
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
ClubHack
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
ClubHack
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
ClubHack
 
Android forensics (Manish Chasta)
ClubHack
 
Android Tamer (Anant Shrivastava)
ClubHack
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 

Metasploitation part-1 (murtuja)

  • 1. Metasploitation 4 Adults it’s not family affair… Murtuja Bharmal
  • 2. Disclaimer Courtesy http://entertainment.desktopnexus.com_get_4642 1
  • 3. About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
  • 4. Agenda Courtesy http://asonchua.com
  • 5. Agenda • Basics • Metasploit Auxiliary • Database Integration & Exploit Automation • Client Side Exploit & Extended Usage • Post Exploitation Fun • Metasploit Add-ons
  • 6. Basics • What is vulnerability? • What is Exploit? • What is Payload? • What is encoder?
  • 7. Vulnerability Courtesy http://harryjerry.com
  • 8. Exploit Courtesy http://entertainment.in.msn.com
  • 9. Payload • Use your imagination
  • 10. Encoder • Still Thinking? Ask me offline
  • 11. Basics • Vulnerability – Opportunity Window • Exploit – En-cashing Opportunity • Payload – En-cashment Window • Encoder – Masking
  • 12. How it works? • Input malicious code Instead of Data • Malicious code = Exploit Code + Payload
  • 13. Payload + Exploit Sanitized You should be at ClubHACK Courtesy http://guardian.co.uk Courtesy http://ivillage.com
  • 14. Exploit Code 1 2 3 4 Courtesy 1. advice.eharmony.com 2. superstock.com 3. good-times.webshots.com 4. sheknows.com
  • 15. Metasploit Framework • Open Source • Developed in Ruby • Easy to Use • 600+ Exploits • 200+ payloads • 25+ encoders • 300+ auxiliary
  • 16. Metasploit Auxiliary Courtesy http://www.flickr.com
  • 17. Metasploit Architecture Courtesy http://www.offensive-security.com
  • 19. Filesystem And Libraries • lib: the 'meat' of the framework code base • data: editable files used by Metasploit • tools: various useful command-line utilities • modules: the actual MSF modules • plugins: plugins that can be loaded at run-time • scripts: Meterpreter and other scripts • external: source code and third-party libraries Courtesy http://www.offensive-security.com/metasploit-unleashed
  • 21. msfconsole • It is the only supported way to access most of the features within Metasploit. • Provides a console-based interface to the framework • Contains the most features and is the most stable MSF interface • Full readline support, tabbing, and command completion • Execution of external commands in msfconsole is possible: Courtesy http://www.offensive-security.com/metasploit-unleashed
  • 23. Exploit Modules Confused how to explain technically? Courtesy http://www.sunpacmortgage.com
  • 24. Metasploit – Exploit & Payloads • Exploit – Active – Passive • Payload Types – Inline ( Non Staged) – Staged – Meterpreter – PassiveX – NoNX – Ord – IPv6 – Reflective DLL injection
  • 26. Metasploit Auxiliary • Helper modules for pre-exploitation phase – Admin, DOS, Fuzzers, Gather, Scanner, Server, Spoof, SQLi, Sniffer, Test etc. • 300+ Auxiliary modules
  • 27. We will cover • SCANNER • MSSQL • SNMP • FTP
  • 29. Database Integration and Exploit Automation
  • 30. Data Courtesy http://www.joy2day.com
  • 31. Need of Database Sanitized You should be at ClubHACK
  • 32. Need of Database • Network Penetration Testing • Easy management/storage of result • Report Generation
  • 33. Database Integration& Exploit Automation • Database Support • Nmap • Nessus Bridge
  • 34. Supported Database • Mysql - BackTrack 4 r2, MYSQL and Metasploit work together "out of the box“ • Postgres • Sqlite3 – file based database, might be pull-off in future
  • 36. Nmap • db_nmap command to scan host/network • Result will be stored in database • Can view the result using db_hosts and db_services command
  • 38. Nessus Bridge • Can perform vulnerability scan inside msfconsole • Supported using nessus bridge plugin • Use xmlrpc to connect with nessusd
  • 42. In a Finger tip • db_autopwn – Automate exploitation process – Take target /service/vulnerability info from database – Spawns a meterpeter shell on success – Noisy
  • 45. Client Side Exploit & Extended Usage
  • 47. Client Side Exploit & Extended Usage • Browser autopwn • Exploiting PDF • Payload Generation & Back-dooring EXE • Linux Backdoor
  • 48. Browser autopwn • Automate browser based vulnerability exploitation • Perform browser finger printing • Auxiliary module server/browser_autopwnle
  • 50. Exploiting PDF • Most exploited software since last 2 years • Universally used software for document format • Favorite carrier for commercial malware toolkit
  • 51. What all PDF do? • JavaScript runs under the context of App Object Model • File Attachment • XML, SOAP capabilities • Forms • Web Services • Database connections(ADBC)
  • 52. What’s cracking up? • Vulnerable APIs – util.printf() (CVE-2008-2992) – getIcons() (CVE-2009-0927) – getAnnots() (CVE-20091492) – customDictionaryOpen() (CVE-2009-1493) – Doc.media.newPlayer (CVE-2009-4324) • File parsing vulnerabilities – JBIG2( Over a dozen CVE) – libTiff (CVE-2010-0188) • Social engineered arbit. command execution – PDF escape by Didier Stevens – Not a bug (feature) – Exploitation in the wild • Embedded Files – libTiff (CVE-2010-0188)
  • 54. Payload Generation and Backdooring EXE • Payload can be converted to various file format i.e. exe, dll, javascript etc. • Encode payload to evade antivirus • Can be embed with third party software/utility
  • 56. Linux Backdoor • Back-dooring payload with linux package • Embed payload with deb installation package
  • 59. Metasploit Add-ons Courtesy http://draftblogmm.blogspot.com
  • 60. Fast-Track • Easy Automation • Utilize Metaspolit Framework on Backend • Modes – Interactive – Web interface
  • 62. SET(Social Engineering Toolkit) • Weakest link in the information security chain is the natural human willingness to accept someone at their word. • SET focuses on attacking the human element • Develop in python • Very easy to use • Utilize Metaspolit Framework on Backend
  • 63. SET(Social Engineering Toolkit) • Operational Mode – Interactive – Web Interface • Configuration file - config/set_config
  • 67. What next after getting a Shell? • One can run the command supported by command prompt/shell. • So what extra bit control needed to en-cash the opportunity?
  • 68. Meterpreter • Meta Interpreter • Post exploitation payload(tool) • Uses in-memory DLL injection stagers • Can be extended over the run time • Encrypted communication
  • 69. What can be done? • Command execution • File Upload/Download • Process migration • Log Deletion • Privilege escalation • Registry modification • Deleting logs and killing antivirus • Backdoors and Rootkits • Pivoting • …..etc.
  • 71. Channels • Communication using TLV (Type-Length-Value) • Tagging of data with channel number • Multiple program can be run at victim machine using different channel
  • 72. Pivoting 2 1 LAN INTERNET Local Lan Firewall/IPS 4 3 Web Database Server DMZ Server
  • 74. Courtesy • http://www.metasploit.com/ • http://www.backtrack-linux.org • http://www.offensive-security.com/metasploit- unleashed/ • http://www.secmaniac.com/ • http://securitytube.net/ • http://vimeo.com/ • http://www.irongeek.com/ • http://www.windowsecurity.com/whitepapers/Social- Engineering-The-Weakest-Link.html • http://www.google.co.in
  • 75. Thank You Murtuja Bharmal [email protected] Courtesy http://blingboo.com