ebook img

Metasploit Unleashed PDF

389 Pages·2011·4.61 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Metasploit Unleashed

AA W WOORRDD OOFF CCAAUUTTIIOONN This document is a work in progress and does not purport to be the final version. The contents have been taken from http://www.offensive-security.com/metasploit- unleashed/Metasploit_Unleashed_Information_Security_Training. Please visit the website for updated content. JUNE 2011 2 METASPLOIT UNLEASHED This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework. This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $9.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it. 3 Table of Contents METASPLOIT UNLEASHED .............................................................................................................................. 2 INTRODUCTION ............................................................................................................................................... 8 METASPLOIT ARCHITECHTURE ......................................................................................................................... 9 FILESYSTEM AND LIBRARIES ....................................................................................................................................... 9 MODULES AND LOCATIONS ....................................................................................................................................... 9 METASPLOIT OBJECT MODEL .................................................................................................................................. 10 MIXINS AND PLUGINS ............................................................................................................................................ 10 Metasploit Mixins ........................................................................................................................................ 10 Metasploit Plugins ....................................................................................................................................... 11 REQUIRED MATERIALS ................................................................................................................................... 12 HARDWARE PREREQUISITES .................................................................................................................................... 12 METASPLOITABLE.................................................................................................................................................. 14 SETTING UP YOUR WINDOWS XP SP2 ...................................................................................................................... 14 Making The XP Machine Vulnerable ........................................................................................................... 15 Setting Up Additional Services .................................................................................................................... 15 Creating A Vulnerable Webapp ................................................................................................................... 21 METASPLOIT FUNDAMENTALS ....................................................................................................................... 29 MSFCLI ................................................................................................................................................................ 29 MSFWEB ............................................................................................................................................................. 31 MSFCONSOLE ....................................................................................................................................................... 31 Launching msfconsole ................................................................................................................................. 32 Getting Help ................................................................................................................................................ 32 Tab Completion ........................................................................................................................................... 33 The back Command ..................................................................................................................................... 33 The check Command ................................................................................................................................... 33 The connect Command ................................................................................................................................ 34 exploit vs. run .............................................................................................................................................. 34 The irb Command ........................................................................................................................................ 35 The jobs Command ...................................................................................................................................... 35 The load Command ..................................................................................................................................... 35 The resource Command .............................................................................................................................. 36 The route Command .................................................................................................................................... 37 The info Command ...................................................................................................................................... 37 The set/unset Commands ............................................................................................................................ 37 The sessions Command ............................................................................................................................... 39 The search Command .................................................................................................................................. 39 The show Command .................................................................................................................................... 40 The setg Command ..................................................................................................................................... 43 The use Command ....................................................................................................................................... 43 METASPLOIT EXPLOITS ........................................................................................................................................... 44 Active Exploits ............................................................................................................................................. 44 Using Exploits .............................................................................................................................................. 46 METASPLOIT PAYLOADS ......................................................................................................................................... 47 Payload Types ............................................................................................................................................. 48 Metasploit Generating Payloads ................................................................................................................. 49 ABOUT THE METASPLOIT METERPRETER.................................................................................................................... 50 Metasploit Meterpreter Basics .................................................................................................................... 51 4 INFORMATION GATHERING ........................................................................................................................... 55 THE DRADIS FRAMEWORK ...................................................................................................................................... 55 CONFIGURING DATABASES ...................................................................................................................................... 57 PORT SCANNING ................................................................................................................................................... 60 NOTES ON SCANNERS AND AUXILIARY MODULES ........................................................................................................ 63 HUNTING FOR MSSQL .......................................................................................................................................... 66 SERVICE IDENTIFICATION ........................................................................................................................................ 68 PASSWORD SNIFFING ............................................................................................................................................. 71 Extending Psnuffle ....................................................................................................................................... 72 SNMP SWEEPING ................................................................................................................................................ 73 CREATING YOUR OWN TCP SCANNER ....................................................................................................................... 75 VULNERABILITY SCANNING ............................................................................................................................ 77 SMB LOGIN CHECK ............................................................................................................................................... 77 VNC AUTHENTICATION .......................................................................................................................................... 78 OPEN X11........................................................................................................................................................... 78 WMAP WEB SCANNER ......................................................................................................................................... 79 WORKING WITH NEXPOSE ..................................................................................................................................... 82 NeXpose from msfconsole ........................................................................................................................... 85 WORKING WITH NESSUS........................................................................................................................................ 87 Nessus Via Msfconsole ................................................................................................................................ 91 USING THE MSF DATABASE .................................................................................................................................... 94 WRITING A SIMPLE FUZZER .................................................................................................................................... 99 SIMPLE TFTP FUZZER ............................................................................................................................................ 99 SIMPLE IMAP FUZZER ......................................................................................................................................... 101 EXPLOIT DEVELOPMENT .............................................................................................................................. 104 METASPLOIT EXPLOIT DESIGN GOALS ..................................................................................................................... 104 METASPLOIT EXPLOIT FORMAT .............................................................................................................................. 105 Exploit Skeleton ......................................................................................................................................... 105 Defining Vulnerability Tests ...................................................................................................................... 105 Sample check() Method ............................................................................................................................. 106 METASPLOIT EXPLOIT MIXINS ............................................................................................................................... 106 METASPLOIT EXPLOIT TARGETS ............................................................................................................................. 107 Target Options Block ................................................................................................................................. 108 Accessing Target Information ................................................................................................................... 108 Adding and Fixing Exploit Targets ............................................................................................................. 108 METASPLOIT EXPLOIT PAYLOADS ........................................................................................................................... 109 Encoding Example ..................................................................................................................................... 110 Payload Block Options ............................................................................................................................... 110 Msfvenom ................................................................................................................................................. 110 Msfpayload ............................................................................................................................................... 111 Alphanumeric Shellcode ............................................................................................................................ 118 MAKING SOMETHING GO BOOM ........................................................................................................................... 121 Getting A Shell ........................................................................................................................................... 124 USING THE EGGHUNTER MIXIN ............................................................................................................................. 129 Porting the PoC ......................................................................................................................................... 130 Completing The Exploit ............................................................................................................................. 132 PoC to Exploit ............................................................................................................................................ 133 ALPHANUMERIC SHELLCODE ................................................................................................................................. 139 PORTING EXPLOITS .............................................................................................................................................. 141 CLIENT SIDE EXPLOITS .................................................................................................................................. 147 BINARY PAYLOADS .............................................................................................................................................. 147 ANTIVIRUS BYPASS .............................................................................................................................................. 150 BINARY LINUX TROJANS ....................................................................................................................................... 154 5 JAVA APPLET INFECTION ....................................................................................................................................... 156 CLIENT SIDE ATTACKS .......................................................................................................................................... 162 VBSCRIPT INFECTION METHODS ............................................................................................................................ 167 MSF POST EXPLOITATION ............................................................................................................................ 170 METASPLOIT PRIVILEGE ESCALATION ...................................................................................................................... 170 PSEXEC PASS THE HASH ....................................................................................................................................... 171 EVENT LOG MANAGEMENT ................................................................................................................................... 173 FUN WITH INCOGNITO ......................................................................................................................................... 177 INTERACTING WITH THE REGISTRY ......................................................................................................................... 180 Persistent Netcat Backdoor ....................................................................................................................... 180 ENABLING REMOTE DESKTOP ................................................................................................................................ 183 PACKET SNIFFING WITH METERPRETER ................................................................................................................... 184 packetrecorder .......................................................................................................................................... 186 PIVOTING .......................................................................................................................................................... 187 TIMESTOMP ....................................................................................................................................................... 191 METERPRETER SCREEN CAPTURE ........................................................................................................................... 197 METERPRETER SEARCHING.................................................................................................................................... 198 METERPRETER SCRIPTING ............................................................................................................................ 200 EXISTING SCRIPTS................................................................................................................................................ 200 WRITING METERPRETER SCRIPTS ........................................................................................................................... 204 CUSTOM SCRIPTING ............................................................................................................................................ 206 USEFUL API CALLS .............................................................................................................................................. 211 USEFUL FUNCTIONS............................................................................................................................................. 212 MAINTAINING ACCESS ................................................................................................................................. 216 KEYLOGGING ...................................................................................................................................................... 216 PERSISTENT METERPRETER SERVICE ........................................................................................................................ 218 METERPRETER BACKDOOR SERVICE ........................................................................................................................ 219 Interacting With Metsvc ............................................................................................................................ 220 MSF EXTENDED USAGE ................................................................................................................................ 223 PHP METERPRETER ............................................................................................................................................ 223 BACKDOORING EXE FILES ..................................................................................................................................... 224 KARMETASPLOIT ................................................................................................................................................. 226 Karmetasploit Configuration ..................................................................................................................... 226 Karmetasploit In Action ............................................................................................................................. 228 Karmetasploit Attack Analysis .................................................................................................................. 231 MSF VS OSX ..................................................................................................................................................... 236 FILE UPLOAD BACKDOORS .................................................................................................................................... 238 BUILDING A METASPLOIT MODULE ........................................................................................................................ 239 Payloads Through MSSQL ......................................................................................................................... 241 Creating Our Auxiliary Module .................................................................................................................. 242 The Guts Behind It ..................................................................................................................................... 245 BEYOND METASPLOIT .................................................................................................................................. 247 ARMITAGE ......................................................................................................................................................... 247 Armitage Setup ......................................................................................................................................... 247 Scanning with Armitage ............................................................................................................................ 249 Exploitation with Armitage ....................................................................................................................... 252 SET ................................................................................................................................................................. 256 Getting Started with SET ........................................................................................................................... 256 Menu Based Driving .................................................................................................................................. 261 Spear-Phishing Attack Vector .................................................................................................................... 265 Java Applet Attack Vector ......................................................................................................................... 269 Metasploit Browser Attack Method .......................................................................................................... 274 6 Credential Harvester Attack Method ........................................................................................................ 277 Tabnabbing Attack Method ...................................................................................................................... 280 Man Left in the Middle Attack Method ..................................................................................................... 283 Web Jacking Attack Method ..................................................................................................................... 283 Multi-Attack Web Vector .......................................................................................................................... 286 Infectious Media Generator ...................................................................................................................... 292 Teensy USB HID Attack Vector .................................................................................................................. 294 SMS Spoofing Attack Vector ...................................................................................................................... 299 SET Automation ......................................................................................................................................... 301 SET Web-Interface ..................................................................................................................................... 304 Developing your own SET modules ........................................................................................................... 305 SET Frequently Asked Questions ............................................................................................................... 308 FAST-TRACK ...................................................................................................................................................... 309 Fast Track Modes ...................................................................................................................................... 309 Fast Track Updates .................................................................................................................................... 311 Fast-Track Autopwn Automation .............................................................................................................. 312 Fast-Track Nmap Scripting Engine ............................................................................................................ 315 MSSQL Injector .......................................................................................................................................... 316 MSSQL Bruter ............................................................................................................................................ 320 Binary To Hex Converter ............................................................................................................................ 324 Mass-Client Attack .................................................................................................................................... 325 SQL Pwnage............................................................................................................................................... 328 Payload Generator .................................................................................................................................... 332 METASPLOIT MODULE REFERENCE .............................................................................................................. 335 AUXILIARY MODULES ........................................................................................................................................... 335 Admin Modules ......................................................................................................................................... 335 Admin HTTP Modules............................................................................................................................................. 335 auxiliary/admin/http/tomcat_administration .................................................................................................. 335 Scanner Modules ....................................................................................................................................... 336 DCERPC Scanners ................................................................................................................................................... 336 auxiliary/scanner/dcerpc/endpoint_mapper ................................................................................................... 336 auxiliary/scanner/dcerpc/hidden ..................................................................................................................... 339 auxiliary/scanner/dcerpc/management ........................................................................................................... 340 auxiliary/scanner/dcerpc/tcp_dcerpc_auditor ................................................................................................. 341 Discovery Scanners ................................................................................................................................................ 343 auxiliary/scanner/discovery/arp_sweep .......................................................................................................... 343 auxiliary/scanner/discovery/ipv6_neighbor ..................................................................................................... 343 auxiliary/scanner/discovery/udp_probe .......................................................................................................... 345 auxiliary/scanner/discovery/udp_sweep .......................................................................................................... 346 FFTTPP SSccaannnneerrss .......................................................................................................................................................... 347 auxiliary/scanner/ftp/anonymous .................................................................................................................... 347 auxiliary/scanner/ftp/ftp_login ........................................................................................................................ 348 auxiliary/scanner/ftp/ftp_version .................................................................................................................... 349 SMB Scanners......................................................................................................................................................... 350 auxiliary/scanner/smb/pipe_auditor ................................................................................................................ 350 auxiliary/scanner/smb/pipe_dcerpc_auditor ................................................................................................... 351 auxiliary/scanner/smb/smb2 ............................................................................................................................ 351 auxiliary/scanner/smb/smb_enumshares ........................................................................................................ 352 auxiliary/scanner/smb/smb_enumusers .......................................................................................................... 353 auxiliary/scanner/smb/smb_login .................................................................................................................... 354 auxiliary/scanner/smb/smb_lookupsid ............................................................................................................ 356 auxiliary/scanner/smb/smb_version ................................................................................................................ 358 SMTP Scanners ....................................................................................................................................................... 359 auxiliary/scanner/smtp/smtp_enum ................................................................................................................ 359 auxiliary/scanner/smtp/smtp_version ............................................................................................................. 360 SNMP Scanners ...................................................................................................................................................... 361 auxiliary/scanner/snmp/snmp_enum .............................................................................................................. 361 auxiliary/scanner/snmp/snmp_enumshares .................................................................................................... 363 auxiliary/scanner/snmp/snmp_enumusers ...................................................................................................... 363 7 auxiliary/scanner/snmp/snmp_login ................................................................................................................ 364 SSH Scanners .......................................................................................................................................................... 365 auxiliary/scanner/ssh/ssh_login ....................................................................................................................... 365 auxiliary/scanner/ssh/ssh_login_pubkey ......................................................................................................... 366 auxiliary/scanner/ssh/ssh_version ................................................................................................................... 367 Telnet Scanners ...................................................................................................................................................... 368 auxiliary/scanner/telnet/telnet_login .............................................................................................................. 368 auxiliary/scanner/telnet/telnet_version .......................................................................................................... 370 TFTP Scanners ........................................................................................................................................................ 371 auxiliary/scanner/tftp/tftpbrute ....................................................................................................................... 371 Server Modules .......................................................................................................................................... 371 Capture Modules ................................................................................................................................................... 371 auxiliary/server/capture/ftp ............................................................................................................................. 371 use auxiliary/server/capture/http_ntlm ........................................................................................................... 372 auxiliary/server/capture/pop3 ......................................................................................................................... 374 auxiliary/server/capture/smb ........................................................................................................................... 375 POST MODULES ................................................................................................................................................. 376 Multi-OS Post-Exploitation Modules ......................................................................................................... 376 post/multi/gather/env ........................................................................................................................................... 376 post/multi/gather/firefox_creds ............................................................................................................................ 376 post/multi/gather/ssh_creds ................................................................................................................................. 377 Windows Post-Exploitation Modules ........................................................................................................ 378 post/windows/capture/keylog_recorder ............................................................................................................... 378 post/windows/gather/arp_scanner ....................................................................................................................... 378 post/windows/gather/checkvm ............................................................................................................................. 379 post/windows/gather/credential_collector ........................................................................................................... 379 post/windows/gather/dumplinks .......................................................................................................................... 380 post/windows/gather/enum_applications ............................................................................................................ 380 post/windows/gather/enum_logged_on_users .................................................................................................... 381 post/windows/gather/enum_shares ..................................................................................................................... 381 post/windows/gather/enum_snmp ....................................................................................................................... 382 post/windows/gather/hashdump .......................................................................................................................... 382 post/windows/gather/usb_history ........................................................................................................................ 382 post/windows/manage/autoroute ........................................................................................................................ 383 post/windows/manage/delete_user ..................................................................................................................... 384 post/windows/manage/migrate ............................................................................................................................ 384 post/windows/manage/multi_meterpreter_inject ............................................................................................... 385 Linux Post-Exploitation Modules ............................................................................................................... 385 post/linux/gather/hashdump ................................................................................................................................ 385 ABOUT THE AUTHORS .................................................................................................................................. 387 MATI AHARONI .................................................................................................................................................. 387 WILLIAM COPPOLA ............................................................................................................................................. 387 DEVON KEARNS .................................................................................................................................................. 387 DAVID KENNEDY ................................................................................................................................................. 388 MATTEO MEMELLI .............................................................................................................................................. 388 MAX MOSER ..................................................................................................................................................... 388 JIM O'GORMAN ................................................................................................................................................. 388 DAVID OVITZ ..................................................................................................................................................... 388 CARLOS PEREZ.................................................................................................................................................... 389 8 Introduction “If I had eight hours to chop down a tree, I’d spend the first six of them sharpening my axe.” -Abraham Lincoln This saying has followed me for many years, and is a constant reminder to me that approaching a problem with the right set of tools is imperative for success. So what does this semi philosophical opening have to do with the Metasploit Framework? Before approaching a penetration test or an audit, I take care to “sharpen my tools” and update anything updatable in BackTrack. This includes a short chain reaction, which always starts with a prompt “svn update” of the Metasploit framework. I consider the MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The MSF is far more than just a collection of exploits, it's an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel. This course has be written in a manner to encompass not just the front end "user" aspects of the framework, but rather give you an introduction to the capabilities that Metasploit provides. We aim to give you an in depth look into the many features of the MSF, and provide you with the skill and confidence to utilize this amazing tool to its utmost capabilities. Keep in mind that the MSF is constantly evolving and I suspect that by the time this course comes to light, there will have been many changes and additions in the project. We will attempt to keep this course up to date with all new and exciting Metasploit features as they are added. A degree of prerequisite knowledge is expected and required of students before the content provided in this course will be useful. If you find you are unfamiliar with a certain topic, we recommend you spend time engaging in self research on the problem before attempting the module. There is nothing more satisfying than solving problems yourself, so we we highly encourage you to Try Harder. 9 Metasploit Architechture Filesystem and Libraries The MSF filesystem is laid out in an intuitive manner and is organized by directory. • lib: the 'meat' of the framework code base • data: editable files used by Metasploit • tools: various useful command-line utilities • modules: the actual MSF modules • plugins: plugins that can be loaded at run-time • scripts: Meterpreter and other scripts • external: source code and third-party libraries Libraries Rex • The basic library for most tasks • Handles sockets, protocols, text transformations, and others • SSL, SMB, HTTP, XOR, Base64, Unicode Msf::Core • Provides the 'basic' API • Defines the Metasploit Framework Msf::Base • Provides the 'friendly' API • Provides simplified APIs for use in the Framework Modules and Locations Metasploit, as presented to the user, is composed of modules. 10 Exploits • Defined as modules that use payloads • An exploit without a payload is an Auxiliary module Payloads, Encoders, Nops • Payloads consist of code that runs remotely • Encoders ensure that payloads make it to their destination • Nops keep the payload sizes consistent. Modules Locations Primary Module Tree • Located under $install/modules// User-Specified Module Tree • Located under ~/.msf3/modules// • This location is ideal for private module sets Loading Additional Trees at Runtime • Pass the -m option when running msfconsole (./msfconsole -m) • Use the loadpath command within msfconsole Metasploit Object Model In the Metasploit Framework, all modules are Ruby classes. • Modules inherit from the type-specific class • The type-specific class inherits from the Msf::Module class • There is a shared common API between modules Payloads are slightly different. • Payloads are created at runtime from various components • Glue together stagers with stages Mixins and Plugins A quick diversion into Ruby. • Every Class only has one parent • A class may include many Modules • Modules can add new methods • Modules can overload old methods • Metasploit modules inherit Msf::Module and include mixins to add features. Metasploit Mixins Mixins are quite simply, the reason why Ruby rocks. • Mixins 'include' one class into another • This is both different and similar to inheritance • Mixins can override a class' methods Mixins can add new features and allows modules to have different 'flavors'. • Protocol-specific (ie: HTTP, SMB) • Behavior-specific (ie: brute force) • connect() is implemented by the TCP mixin • connect() is then overloaded by FTP, SMB, and others. Mixins can change behavior. • The Scanner mixin overloads run() • Scanner changes run() for run_host() and run_range() • It calls these in parallel based on the THREADS setting 11 • The BruteForce mixin is similar class MyParent def woof puts “woof!” end end class MyClass < MyParent end object = MyClass.new object.woof() => “woof!” ================================================================ module MyMixin def woof puts “hijacked the woof method!” end end class MyBetterClass < MyClass include MyMixin end Metasploit Plugins Plugins work directly with the API. • They manipulate the framework as a whole • Plugins hook into the event subsystem • They automate specific tasks which would be tedious to do manually Plugins only work in the msfconsole. • Plugins can add new console commands • They extend the overall Framework functionality 12 Required Materials It should come as no surprise that the majority of exploits available in the Metasploit Framework are targeted against Microsoft Windows, so in order to complete the course labs you will require a target system to attack. This system should consist of a Virtual Machine running on your choice of host operating system. While VMware Converter and VMware Player are "free", you will have to register for the downloads. However, the virtualization applications and appliances are well worth the registration if you're not already a current member. You may also use VMware Workstation or other implementations of Virtual Infrastructure. This course was created using the latest svn trunk version of the Metasploit Framework which, at the time of this writing is version 3.3-dev. If you are using back|track 4 as your platform, you can always update to the latest version of the trunk by issuing a 'svn up' in the '/pentest/exploits/framework3/' directory. Hardware Prerequisites Before we dive into the wonderful world of the Metasploit Framework we need to ensure our hardware will meet or exceed some requirements before we proceed. This will help eliminate many problems before they arise later in this document. All values listed are estimated or recommended. You can get away with less although performance will suffer. Some of the hardware requirements that should be considered are: • Hard Drive Space • Available Memory • Processors Capabilities • Inter/Intra-net Access Hard Drive Space This will be the most taxing hurdle to overcome. Be creative if you might have some storage space constraints. This process can consume almost 20 gigabytes of Storage space, so be forewarned. This means we can not use a FAT32 partition since it does not support large files. Choose NTFS, ext3 or some other format. The recommended amount of space needed is 40 gigabytes. 730000000 696MB //z01 file size on disk 730000000 696MB //z02 file size on disk 730000000 696MB //z03 file s...

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.