01 Metasploit kung fu introduction

01 Metasploit kung fu introduction

• 1.
  Metasploit Kung-Fu Exploitation ArtWith Metasploit
• 2.
  :~#whoami Name : MostafaAbdel-sallam Job : Cyber Security Researcher CEO & Cofounder of Security Scope && Cyber Sec Dep. Head @ Source Valley Facebook Account : https://www.fb.com/Metasploiter Email : mostafaabdelsallam@gmail.com
• 3.
  Metasploit Kung-Fu • Introduction& Basics Modules • Exploitation & Post Exploitation • Payload, Backdoors & Malwares • WEB Applications Attacks • Windows Exploit Development (Buffer Overflow)
• 4.
  LAB Requirements • MinimumRequirements – 4 GB of RAM – Core i3 Processor – 30 GB Disk Space • My PC Components – 6 GB of RAM – AMD x6 Processor 6 Core – 50 Disk Space – All of this with useless video card ATI 3000 • Can’t run Play POP The Forgotten Sands with good graphics and performance
• 5.
  What is MetasploitFramework • About Metasploit Metasploit Framework is an open source penetration testing project that helps you to find out systems and applications vulnerabilities and exploit these weak points into the system to find out how to fix it • Metasploit also used in: – Foot-Printing and Reconnaissance – Network Scanning – Exploitation – Malware Development – WEB Application Attacks
• 6.
  Metasploit History • Metasploitwas created by H. D. Moore in 2003 using Perl • By 2007, the Metasploit Framework had been completely rewritten in Ruby. • On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions
• 7.
  Why Ruby ? •The Ruby programming language was selected over other choices, such as python, Perl, and C++ for quite a few reasons. • The first (and primary) reason that Ruby was selected was because it was a language that the Metasploit staff enjoyed writing in. • After spending time analyzing other languages and factoring in past experiences, the Ruby programming language was found to offer both a simple and powerful approach to an interpreted language. • the syntax is incredibly simplistic and provides the same level of language features that other more accepted languages have, like Perl.
• 8.
  Metasploit Editions • MetasploitFramework Edition – The free version, contains a command line interface, third-party import, manual exploitation and manual brute forcing. • Metasploit Community Edition – In October 2011, Rapid7 released Metasploit Community Edition, a free, web-based user interface for Metasploit. Metasploit Community is based on the commercial functionality of the paid-for editions with a reduced set of features, including network discovery, module browsing and manual exploitation. Metasploit Community is included in the main installer. • Metasploit Express – In April 2010, Rapid7 released Metasploit Express, an open-core commercial edition for security teams who need to verify vulnerabilities. It offers a graphical user interface, integrates Nmap for discovery, and adds smart brute forcing as well as automated evidence collection. • Metasploit Pro – In October 2010, Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers. Metasploit Pro includes all features of Metasploit Express and adds web application scanning and exploitation, social engineering campaigns and VPN pivoting.
• 9.
  Metasploit Architecture Metasploit Arch TheMSF libraries help us to run our exploits without having to write additional code for rudimentary tasks, such as HTTP requests or encoding of payloads.
• 10.
  Metasploit Libraries • Rex –The basic library for most tasks – Handles sockets, protocols, text transformations, and others – SSL, SMB, HTTP, XOR, Base64, Unicode • MSF::Core – Provides the ‘basic’ API – Defines the Metasploit Framework • MSF::Base – Provides the ‘friendly’ API – Provides simplified APIs for use in the Framework
• 11.
  Metasploit Modules • Exploit –Code which allows an attacker to take advantage of a vulnerability system • Payload – Actual code which runs on the system after exploitation • Auxiliary – Modules that perform scanning, fuzzing, sniffing, and much more • Encoder – Encoders ensure that payloads make it to their destination • Nops – Nops keep the payload sizes consistent
• 12.
  Metasploit Directories The MSFfile system is laid out in an intuitive manner and is organized by directory.
• 13.
  Metasploit Interfaces [msfconsole] •What is the msfconsole? – The msfconsole is probably the most popular interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the MSF. Msfconsole may seem intimidating at first, but once you learn the syntax of the commands you will learn to appreciate the power of utilizing this interface.
• 14.
  Metasploit GUI [msfgui] •What is MSFWEB ? – Metasploit Web interface are very easy to use but it’s note faster than other interfaces but it will help you when you need to explain something to your job manager or administrator
• 15.
  Metasploit GUI [msfgui] •What is MSFGUI ? – msfgui is the Metasploit Framework Graphical User Interface. It provides the easiest way to use Metasploit, whether running locally or connecting remotely, build payloads, launch exploits, control sessions, and keep track of activity as you penetration test or just learn about security. It will never have ads, nag you to buy products, abuse your personal information, or even ask for your personal information.
• 16.
  Metasploit Armitage [Armitage] •What is Armitage ? – Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.
• 17.
  Metasploit Command Basics •Some of core commands – ? >> Help menu – banner >> Display an awesome metasploit banner – cd > > Change the current working directory – color >> Toggle color – version >> Show the framework and console library version numbers – show >> Displays modules of a given type, or all modules – use >> Selects a module by name – back >> Move back from the current context – search >> Searches module names and descriptions – set >> Sets a context-specific variable to a value – quit >> Exit the console
• 18.
  Metasploit Database Commands •Database backend commands – db_status >> Show the current database status – workspace >> Switch between database workspaces – db_connect >> Connect to an existing database – db_disconnect >> Disconnect from the current database instance – db_export >> Export a file containing the contents of the database – db_import >> Import a scan result file (file type will be auto-detected) – hosts >> List all hosts in the database – services >> List all services in the database
• 19.
  Information Gathering WithMetasploit • Foot-Printing & Reconnaissance – Footprint analysis or Reconnaissance : is the first step typically performed by a network hacker. In Footprint analysis or Reconnaissance, hacker gathers information about the target network. Footprint analysis or Reconnaissance is to map the addresses, devices, operating systems, application running in the target network • Network Scanning – Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses.
• 20.
  Basic Foot-Printing Modulesin Metasploit • Extracting Emails, Internal URLs and DNS Info – auxiliary/gather/search_email_collector – auxiliary/gather/dns_info – auxiliary/gather/enum_dns – auxiliary/gather/dns_srv_enum – scanner/mssql/mssql_ping • HTTP Scanning Modules – auxiliary/scanner/http/dir_listing – auxiliary/scanner/http/dir_scanner – dir_webdav_unicode_bypass – auxiliary/scanner/http/enum_wayback
• 21.
  Scanning Modules • NetworkScanners Modules – auxiliary/scanner/discovery/arp_sweep – auxiliary/scanner/discovery/ipv6_neighbor – auxiliary/scanner/discovery/udp_probe – auxiliary/scanner/discovery/udp_sweep • Port Scanners Modules – auxiliary/scanner/portscan/tcp – auxiliary/scanner/portscan/syn – auxiliary/scanner/portscan/ack – auxiliary/scanner/portscan/xmas • Service Identification Modules – auxiliary/scanner/http/http_version – auxiliary/scanner/ftp/ftp_version – auxiliary/scanner/telnet/telnet_version – auxiliary/scanner/smb/smb_version