Metasploit Framework v3.
The new MSF 3.0 Architecture
                                     MSF 3.0 Architecture
Multitasking through Ruby threads
. Share single instance with many users
. Great for team-based penetration testing
. Multi-user plugin is only ~20 lines of code :-)
Concurrent exploits and sessions
. Support for passive exploits and recon mods
. Multiple payload sessions open at once
. Suspend and restore payload sessions
. Share payload sessions with other users
. Handle multi-victim exploits :-)
Rewrite of all exploit modules
. Massive number of bug fixes
. Improved randomness, use of Mixins
Exploit module structure
. Single exploit can target many platforms
. Simplified the meta-information fields
. Mixins can also modify exploit behavior
. Target brute forcing
. Passive exploits
MSF Plug-ins
Msfd plugin
       “This plugin provides an msf daemon interface that spawns a listener on a defined port (default
       55554) and gives each connecting client its own console interface. These consoles all share the
       same framework instance. Be aware that the console instance that spawns on the port is entirely
       unauthenticated, so realize that you have been warned.”
                        Loading the msfd plugin and connecting to the daemon
The default is to set up a listener on 127.0.0.1, that won’t do ☺ change the default
hostname to the IP of the box running msfd in plugins/msfd.rb and connect to it that way
       # The default local hostname that the server listens on.
       #
       DefaultHost = "192.168.0.105"
                          Connecting to the msfd daemon on an IP
To unload the plugin, just type unload “plugin name”
                                   Unloading the plugin
                             Recon Modules
UDP Sweep
                       Using the sweep_udp recon module
SMB Version
                       Using the SMB version recon module
Using the Metasploit v3 console
                                 MSF 3 console
Show exploits
                       Output of the show exploits command
Selecting an exploit and showing the options
                    Selecting the exploit and showing the options
Showing the available payloads
                              Listing the available payloads
Select your payload and target
                     Selecting the payload and the target (automatic)
Launch the exploit
                                 Launching the exploit
Using the MSF v3 Meterpreter
The Meterpreter help menu and options
                                    Meterpreter help menu
Downloading a file from the remote host
                           Downloading a file from a remote host
Reading a file on the remote host
                         Reading a file on the remote host using cat
Executing a command
                      Starting a hidden cmd.exe and interacting with it
Loading the “priv” extension
                               Loading the “priv” extension
The priv extension help menu
                               The priv extension help menu
Using the priv extension
The priv module allows us to dump the SAM hashes and use the timestomp command.
Hashdump command
                        Output of the hashdump command
Timestomp Command
                        Output of the timestomp help menu
               Output on the timestomp command with various options
Process Migration
You can hide MSF in another process by either migrating to an existing process or by
starting a normal process like calc.exe and migrating to it.
                  Getting the current PID and creating another process (calc.exe)
                   Migrating the meterpreter process to the process we created
In the Future for MSF
Turning Metasploit into Nessus
. Database backend provides “KB” function
. Auxiliary modules for assessment/discovery
. Event coordinator for triggering modules
. Report generator uses the database
Creating a professional mass-rooter
. Auxiliary modules perform discovery
. Exploit modules perform vuln checks
. Plugins automate exploitation
. Plugins automate post-exploitation
. Dump XML reports via ActiveRecord
Resources
“Metasploit completes license change, updates framework”
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1210976,00.html