Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metasploit a one-stop hack shop

Published byHillary Day Modified over 5 years ago

Similar presentations

Presentation on theme: "Metasploit a one-stop hack shop"— Presentation transcript:

1 Metasploit a one-stop hack shop
Ziga Cerkovnik CSE 7344 SMU, 2017

2 What is metasploit? Open-source penetration testing framework
Developing and using security tools Wide range of modules Exploit Auxiliary Post-exploitation Payload Encoder NOP

3 payloads Inline Staged Meterpeter PassiveX NoNX Ord IPv6
Reflective DLL Types Stagers Singles Modules

4 Metasploit tools Meterpreter MSFvenom Payload within Metasploit
Exploits and controls victims Loads/runs DLLs on victims Metasploit component Generate standalone payloads Supports multiple formats ruby exe shell php Encode payloads

5 Live demo

6 Components and requirements
Attacker (Kali Linux) Metasploit Nmap Netcat Victim (Metasploitable  OWASP project, purposely vulnerable) Default configuration Private (virtual) network connection

7 Exploit: CVE-2007-2447 Report date: 5/2/2007
Samba: software providing file and print services between UNIX/Win Affected: Samba 3.0.XXX What went wrong: ‘SamrChangePassword()’ remote shell Bypass authorization Allows access to other services on the server TLDR; bypass authorization  root access If (‘smb.conf’=enabled)

8 Environment setup Internet (via host PC) C1 (VPN)
Attacker [ ]: Linux Kali 4.6.4 Network adapters: NAT (inactive) C1 (Host-only, private) Victim [ ] Metasploitable server Network adapters: C1 (Host-only, private)

9 sCENARIO Reconnaissance (see if our target is vulnerable)
Nmap to scan Victim machine (service scan + OS detection) Weaponization Select our exploit  CVE Prepare our payload (Metasploit reverse shell  ‘cmd/unix/reverse’) Exploitation and Delivery Connect to Victim’s Samba port (:139) through Attacker’s SSL (:443) port Leverage CVE Deliver the payload provided by MS to open a shell C2 Check available services to determine the next step Python|perl|php|netcat reverse shell script deployment Objective Extract something cool Open a reverse shell and gain root access

10 Reconnaissance : nmap Create a new workspace within Metasploit framework Target list is currently empty Use Nmap on Victim IP; OS + Services Scan

11 Nmap output This seems to be interesting, sincewe
will be exploiting Samba. Nmap output Smart 

12 2. weaponization: select exploit
We are familiar with CVE , so we perform a keyword search Exploit description and location There are multiple ‘Samba’ exploits available. For this scope we want to exploit the ‘usermap’ Vulnerability.

13 2. weaponization: select payload
Based on the exploit module we choose, compatible payloads are recommended We will be using this payload (generic reverse shell)

14 2. Weaponization: set module variables
Metasploit recognizes the Victim IP from the nmap scan, and populates RHOST (Victim) and RPORT (entry point) fields Configured in the next 2 steps: LHOST = Attacker machine LPORT; the reason we change it to 443 is to avoid possible firewall detection by accessing the ‘SSL’ port Exploit’s target

15 3. Exploitation and delivery
All we have to do. The exploit runs, our payload is delivered, and we now have access to a shell! WOAH! ROOT ACCESS ON VICTIM MACHINE!!!!!!!

16 4. C2: extract ‘/etc/shadow’
Create new folder ‘/send’ Output from ‘/etc/shadow’  ‘/send/pwned.txt’ Check what is in ‘pwned.txt’

17 4. C2: transfer ‘pwned.txt’
3. Attacker machine (‘/root/Desktop’) The file magically appears on Attacker machine! 1. Victim machine shell : Zip folder contents Use netcat to open port 1337 2. Attacker machine terminal: Connect to port 1337, which we just opened Aim the .tar file directly into tar, unzipping them in the current dir. (‘/root/Desktop’)

18 4. C2: verify ‘pwned.txt’ Victim machine shell
File on Attacker machine ‘/root/Desktop/pwned.txt’

19 4. C2: service lookup We already have root access through our reverse shell payload, however; if we do not obtain root privileges off the bat we may want to execute a short script on Victim machine to escalate privileges. That is what we are attempting next. Victim machine shell: Attempt to find a service we could use to run a command to initiate a reverse shell with root privileges Tried our ‘luck’  with php5  it appears to be present

20 4. C2: service lookup 2. 1. 3. Victim machine shell:
Execute a ‘compact’ reverse shell script written in php Connects to Attacker machine on port 666 Manipulate TCP file descriptors, enable root access via shell 2. 1. Attacker machine terminal: Command not shown (1): ‘nc –lvp 666’  listen on this port After the php script is run on Victim machine shell, Attacker has full control 3.

21 Extract something cool (-ish) Reverse shell with root privileges
5. Goals? Extract something cool (-ish) Reverse shell with root privileges

Download ppt "Metasploit a one-stop hack shop"

Similar presentations

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.

Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room 345 05/11/10.

4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.
Penetration Testing Training Day Capture the Flag Training.

Penetration Testing Training Day Capture the Flag Training.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.

EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.

CIS 450 – Network Security Chapter 3 – Information Gathering.
MIS 5212.001 Week 1 Site:

MIS Week 1 Site:
Hands on with BackTrack Information gathering, scanning, simple exploits By Edison Carrick.

Hands on with BackTrack Information gathering, scanning, simple exploits By Edison Carrick.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

Similar presentations

Ads by Google