Downloaded 49 times
Uploaded byDefCamp
DefCamp 2013 - MSF Into The Worm Hole
This document provides an overview of using the Metasploit framework for penetration testing web applications. It discusses Metasploit modules like exploits, payloads, and listeners. It describes using direct exploits against hosts and browser exploits like heap spraying. It also covers using Metasploit for information gathering with Nmap and storing scan data in the Metasploit database. The document demonstrates a client-side attack against Internet Explorer using a binary payload and Immunity Debugger.
More Related Content
Similar to DefCamp 2013 - MSF Into The Worm Hole
![[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar](https://cdn.slidesharecdn.com/ss_thumbnails/metapwn-101219215353-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![We will charge you. How to [b]reach vendor’s network using EV charging station.](https://cdn.slidesharecdn.com/ss_thumbnails/dmitryskljarcphexport1-190531064504-thumbnail.jpg?width=640&height=640&fit=bounds)
DefCamp 2013 - MSF Into The Worm Hole
- 2. Who Is ThisUgly Dude In Front of Me? Kizz MyAnthia Senior Penetration Tester HP Fortify – ShadowLabs @Kizz_My_Anthia www.KizzMyAnthia.com
- 3. Who Is ThisUgly Dude In Front of Me? • Background: • Penetration Tester for 13 years • Network Engineer for 15 years • In IT for 18 years • Regulatory Technology Tester for 5 years • Specializes in mobile technologies and communications • Social Engineering • Physical Security
- 4. • Introduction • PWNBones • Metasploit Framework Parts • Metasploit for Web PenTesting • Direct Exploits • Browser Exploits • HeySexxyLady.pwnme • Client-side Attacks • Wrap Up
- 5.
- 6. The PWN Boneis connected to the ‘sploit bone • Metasploit is a Framework built like a skeletal structure • Each part builds on the others • • • • • • • • Exploit Payload Shellcode Modules Listeners Auxiliary Modules Plugins Utilities
- 7. PWN Bones • Exploit •The means by which an attacker, or pen tester, takes advantage of a flaw within a system, application, or service. • Common eploits include: • Buffer Overflows • SQL Injections • Configuration Errors
- 8. PWN Bones • Payload •Code that is executed within an exploit • These are selected and delivered by the Metasploit Framework • Reverse Shell • The payload creates a connection from the target machine back to the attacker • Bind Shell • “Binds” a command prompt to a listening port on the target machine that the attacker can connect to
- 9. PWN Bones • Shellcode •A set of instructions used as a payload when exploitation occurs
- 10. PWN Bones • Modules •Whereas Metasploit is concerned, Modules are the pieces of software used by the framework to perform a specific task • Exploit Modules • Auxiliary Modules
- 11. PWN Bones • Listeners •A Metasploit Framework component • Waits for incoming connections or Reverse Payloads • Handles the remote connection
- 12. PWN Bones • AuxiliaryModules • • • • Reconnaissance Brute-force Fuzzers Custom
- 13. PWN Bones • Plugins •Applications that leverage the Metasploit Framework for exploitation • SET • Social Engineers Toolkit • WMAP • Web Application Scanner • Fast-track • Open source Python based tool to help perform advanced penetration testing techniques
- 14. PWN Bones • Utilities •MSFPayload • MSFEncode • MSFVenom
- 15. PWN Bones –WMAP • WMAP • Web Application “Scanner” • Focuses on utilizing the MSF Web Scanning & Data Collection Modules • Not a “Real” scanner
- 16. PWN Bones -SET • SET – Social Engineers Toolkit – Social-Engineer.org • Conceived by Chris Hadnagy (loganWHD) • Written by David Kennedy • Used to perform attacks against human weaknesses exploiting curiosity, credibility, avarice and human stupidity
- 17. Metasploit For WebPenTesting
- 18. Metasploit For WebPenTesting • Direct Exploits • Host/Server Exploits • Service Exploits • “Feature” Exploits • Browser Exploits • MS10-002 “Aurora” • Tab Nabbing • Browser AutoPWN
- 19. Metasploit For WebPenTesting • Direct Exploits • will exploit a specific host, run until completion, and then exit
- 20. Metasploit For WebPenTesting • Passive exploits wait for incoming hosts and exploit them as they connect. Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. • They can also be used in conjunction with email exploits, waiting for connections. • Passive exploits report shells as they happen can be enumerated by passing '-l' to the sessions command. Passing '-i' will interact with a shell.
- 21. Metasploit For WebPenTesting • So how does this help me? • This sounds cool, but your full of shit….. Metasploit only works on NetPen tests
- 22. Metasploit For WebPenTesting
- 23. Metasploit For WebPenTesting • MSFPayload • a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit.
- 24. Metasploit For WebPenTesting
- 25. Metasploit For WebPenTesting
- 26. Metasploit For WebPenTesting • Start the Metasploit Listener • Use exploit/multi/handler
- 27. Metasploit For WebPenTesting
- 28. Metasploit For WebPenTesting
- 29. OSINT – InformationGathering
- 30. OSINT – InformationGathering • Information Gathering or Intelligence Gathering • Create a plan of attack • Gain an in-depth knowledge of the target • Record information for later use
- 31. OSINT – InformationGathering • Metasploit & Nmap • Uses Metasploit DB Connection • Stores Target information • • • • Ports Version Banners Scan Details
- 32. OSINT – InformationGathering • We need to create a Metasploit Framework DB and DB Connection • First we need to start the DB • service postgressql start
- 33. OSINT – InformationGathering • Launch MSFConsole and Connect to the DB • msfconsole
- 34. OSINT – InformationGathering • Connect to newly created DB • db_connect msfdev1:Password1@localhost:5432/msfdev2
- 35. OSINT – InformationGathering • Closer than Bert and Ernie • Metasploit Framework and Nmap
- 36. OSINT – InformationGathering • Calling Nmap from Metasploit Framework • nmap –PN –vvv ….. • Nmap can be called from within MSF and run natively • db_nmap –PN –vvv ….. • db_nmap will store the returned Nmap data to the MSF DB for use later
- 37. OSINT – InformationGathering • Metasploit Framework has many other Information Gathering Auxiliary Modules available • • • • • SMB scanning SQL scanning SSH scanning FTP scanning SNMP scanning
- 38.
- 39. HeySexxyLady.pwnme • Metasploit Client-sideAttacks • Browser Attacks • Buffer Overflow • Code Injection • Heap Spraying
- 40. HeySexxyLady.pwnme • Browser BasedExploits • Heap Spraying • “Heap” • Memory that is unallocated and used by the application as needed for the duration of the program’s runtime • NOP • No-Operation Instructions • Assembly Instruction to do Nothing until the next instruction • NOP Slide • Multiple NOP instructions in succession
- 41.
- 42. HeySexxyLady.pwnme • Create Payload •msfpayload windows/shell/bind_tcp LPORT=443 C
- 43. HeySexxyLady.pwnme • Copy the“Stage 1” Binary code
- 44. HeySexxyLady.pwnme • Copy &Edit the Binary Payload • Remove all un-needed characters • “ • x • Add “90”s to create NOP Slide
- 45. HeySexxyLady.pwnme • Load IEIn Immunity Debugger
- 46. HeySexxyLady.pwnme • Paste theBinary Payload Into the Debugger
- 47. HeySexxyLady.pwnme • When InternetExplorer is run within Immunity Debugger the code will be executed
- 48. HeySexxyLady.pwnme • Does thiswork in the real world?
- 49.
- 50. HeySexxyLady.pwnme • Aurora InThe Browser
- 51.
- 52.
- 53.
- 54.
- 55. Wrap Up Metasploit =Power
- 56. Wrap Up • Wherecan I get more information? • http://www.offensive-security.com/metasploit-unleashed/Introduction • Metasploit: The Penetration Tester's Guide • http://www.amazon.com/Metasploit-The-Penetration-Testers-Guide/dp/159327288X • www.KizzMyAnthia.com