Once you've built your foundation for penetration testing, you'll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You'll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:. He is on the Back Track and Exploit-Database development team and is a core member of the Social-Engineer podcast and framework. He is involved in digital investigations and malware analysis, and helped build forensic capabilities into Back Track Linux. They can operate as scanners, denial-of-service modules, fuzzers, and much more. This command will display them and list their features. You can also issue the back command to go back once inside a module. The Joy of Exploitation 59 NOTE You can perform a search or use at any time within an exploit to switch to a different exploit or module.
As with show options, when you run show payloads from a module-specific prompt, Metasploit displays only the payloads that are com- patible with that module. In the case of Microsoft Windows-based exploits, these payloads may be as simple as a command prompt on the target or as complex as a full graphical interface on the target machine.
In the previous example we searched for the MS module. Notice in the example that only Windows-based payloads are shown. Metasploit will generally identify the type of payloads that can be used with a particu- lar attack. In this example, you could configure the payload to connect back to the attacker machine on a specific IP address and port number, called a reverse payload.
In reverse payloads, the connection is actually triggered by the target machine and it connects to the attacker. You might use this technique to circumvent a firewall or NAT installation. For example, because the vul- nerability targeted by MS relies on hard-coded memory addresses, the exploit is specific to operating systems with specific patch levels, language version, and security implementations as explained in detail in Chapters 14 and Using the show targets command at the msf MS prompt displays a list of 60 exploit targets with only a portion shown in the following exam- ple.
The success of the exploit will depend on the version of Windows you are targeting. Sometimes automatic detection will not work and could even trigger the wrong exploit, which will usually lead to a service crash. NOTE This particular exploit is temperamental, and it has a tough time determining the oper- ating system.
When you enter show options, you will see information that specifies whether a field is required. Use the set command to set an option turn it on ; use unset to turn a setting off. The next listing shows the set and unset commands in use. NOTE Notice that the variables are referenced using uppercase characters.
The Joy of Exploitation 63 setg and unsetg The setg and unsetg commands are used to set or unset a parameter globally within msfconsole. Using these commands can save you from having to re-enter the same information repeatedly, particularly in the case of frequently used options that rarely change, such as LHOST. You can enter the save command at any time in Metasploit to save your current place. If for some reason you need to start over, move or delete this file to revert to the default settings. As your skills as a penetration tester improve, the discovery of certain open ports will trigger ideas about how you might exploit a particular service.
NSE: Script Scanning completed. Notice the flags used while scanning the host with nmap. The -sT is a Stealth TCP connect, which we have found to be the most reliable flag when trying to enumerate ports. Others prefer -sS, or Stealth Syn. The -A specifies advanced OS detection, which does some additional banner grabs and footprinting of a specific service for us. This is a good indicator that we have a chance at exploiting this system. This exploit is specific to the operating system version, service pack, and language in use on the system, a result of the exploit bypassing Data Execution Prevention DEP.
DEP was created to help protect against buffer overflow attacks by rendering the stack read-only and thereby preventing arbitrarily placed shellcode from executing. However, we can bypass DEP and force Windows to make the stack writable by performing some complex stack manipulation.
Because MS is an exploit that is very specific regarding the OS version in use, we will manually set our target to make sure we trigger the correct overflow. It is also The Joy of Exploitation 65 identified as possibly Windows , but the system is missing key ports that would be associated with the Server Edition.
We'll assume that our target is running the English version of XP. This is important if you find that a firewall is in place and you need to bypass incoming controls on a firewall or NAT. The NX stands for No Execute. Channel 1 created. Microsoft Windows XP [Version 5. Only one session is active, as shown at 0, but if we targeted multiple systems, several sessions could be open simultaneously. To view a list of the exploits that created each session, you would enter sessions -1 -v.
Notice that this drops us into a Meterpreter shell. If, for example, a reverse command shell existed, this command would drop us straight to a command prompt.
To list the available commands for a particular exploit, you can enter show options. The steps are pretty much the same as for the preceding exploit except that we will select a different payload. Notice in this example that we used a bind shell to set up a listener port on the target machine; Metasploit handles the direct connection to the system automatically for us. Remember to use the reverse payload when attacking through a firewall or NAT. Most companies block outbound connections except those from a few defined ports, and it can be difficult to determine which ports can make outbound connections.
But why guess when Metasploit has a very specific payload for use in finding open ports? Going through the entire port range  can take quite a long time, however. Resource Files Resource files are script files that automate commands within msfconsole. They contain a list of commands that are executed from msfconsole and run sequen- tially.
Resource files can greatly reduce testing and development times, allow- ing you to automate many repetitive tasks, including exploitation. Resource files can be loaded from msfconsole with the resource command, or they can be passed as a command-line argument with the -r switch. For example, the following listing uses an SMB exploit in a newly created resource file called autoexploit. NOTE These are just a couple of simple examples. In Chapter 12, you will learn, how to use karma, a very large resource file. We began this chapter by covering the basics of exploitation and com- promising a target based on a discovered vulnerability.
We used nmap to identify potentially vulnerable services. From there we launched an exploit that gave us access to a system. In the next chapter, we will explore Meterpreter in more detail as we learn how to use it in post exploitation. Meterpreter is one of the flagship products in Metasploit and is leveraged as a payload after a vulnerability is exploited. A payload is the information returned to us when we trigger an exploit. For example, when we exploit a weakness in a Remote Procedure Call RPC , trigger the exploit, and select Meterpreter as the payload, we would be given a Meterpreter shell to the system.
Some of this functionality includes ways to cover your tracks, reside purely in memory, dump hashes, access operating systems, pivot, and much more. In this chapter, we'll leverage normal attack methods within Metasploit to compromise a Windows XP machine. Compromising a Windows XP Virtual Machine Before we dive into the specifics of Meterpreter, we first need to compromise a system and get a Meterpreter shell.
Luckily, port UDP for which we did not scan remains the same and can be queried to identify the dynamic port of the SQL server. When MS SQL is first installed, the program will require the user to create an sa, or system administrator, account. Its version number 9. We discuss Fast-Track in more detail in Chap- ter NOTE Fast-Track is a tool created by one of the authors of this book that leverages multiple attacks, exploits, and, the Metasploit Framework for payload delivery.
You can call this stored procedure and have it query and execute underlying operating system calls directly with MS SQL. Think of it as a kind of superuser command prompt that allows you to run anything you want on the operating system. Once the Meterpreter shell is presented, we know that the exploit was successful and we can continue with post exploitation on this system. Basic Meterpreter Commands Having successfully compromised the target and gained a Meterpreter console on the system, we can glean more information with some basic Meterpreter commands.
Use the help command at any point for more information on how to use Meterpreter. Chapter 7 discusses antivirus evasion in more detail. Because SP2 is end of life, we can assume that we can find a ton of holes on this system. Meterpreter 81 spoolsv. Executing ps at O provides a list of running processes, including explorer. Dumping Usernames and Passwords In the preceding example, we grabbed password hashes by logging what a user typed. We can also use Meterpreter to obtain the usernames and pass- word hashes on a local file system without the use of keyloggers.
In the case of LM, for example, when a use enters a password for the first time or changes a password, the password is assigned a hash value. Depend- ing on the hash value length, the password can be split into seven-character hashes. For example, if the password is password! In NTLM, regardless of the password size, passwordl would be stored as a hash value of passwordl Our password is larger than the character maximum that LM supports, so it has automatically converted itself to an NTLM-based hash value.
Even with rainbow tables or a super powerful cracking machine, it woidd take a sign if- icant amount of time to crack these passwords. In the following code, we extract a username and password hash for the Administrator user account with UID the Windows Administrator system default. The strings that follow Administrator: are two hashes of the Administrator password.
This shows an example of a simple extract of a user- name and password hashes. Shortly, we will extract our own username and password hashes from our Windows XP system.boudoirsposa.ru/includes/83.php
Metasploit: The Penetration Tester's Guide
We will leverage the use priv command, which means we are running as a privileged user account. Try performing this scenario on a test virtual machine to see if you can dump the username and password hashes. In this listing, we execute the hashdump command, which dumps all the usernames and password hashes from the system. Administrator: :aad3bb5leeaad3bb5lee:bf65dle04afed7l2ac36c : : A hash value that starts with aad3b is simply an empty or null hash value — a placeholder for an empty string.
Because our password Meterpreter 83 was longer than 14 characters, Windows can no longer store an LM hash, and it uses the standard aad3b Then extract the password hashes from the system with hashdump and copy the first hash value such as the portion beginning with aad3b in the preceding example , which is the LM hash. Next, search for one of the many online password crackers and submit your hash value. Wait a few minutes, click the refresh button a couple of times, and your password should be cracked.
Be careful not to use one of your real passwords, because the information is frequently posted to everyone who visits the site! This is a rainbow table attack. A rainbow table is a precomputed table used for reversing cryptographic hash functions, usually for cracking passwords. Rainbow tables use every combination of characters including 1 -7, a-z, special symbols, and spaces.
When you submit your hash to an online cracker, the site's server searches through gigabytes of rainbow tables for your specific hash. We can use the pass-tlie-hasli technique, which requires that we have only the password hash, not the password itself. As you can see, authentication is successful and we gain our Meterpreter session.
When we successfully compromise one system on a large network, in most cases that system will have the same administrator account on multiple systems. This attack would allow us to hop from one system to another with- out ever needing to crack the password itself. Privilege Escalation Now that we have access to the system, we can create a normal user account with limited permissions using the net user command.
You will learn more about this in Chapter 8. When we compromise a limited user account, we will run into restric- tions that prevent us from executing commands that require administrative- level permissions. Next, we create a Meterpreter-based payload, payload. This will be our new limited user account.
- Quick Cookie Notification;
- What is Metasploit? The Beginner’s Guide!
- Style: Language Variation and Identity (Key Topics in Sociolinguistics)?
In this example, we will use msfpayload to create a Meterpreter-based payload as a normal Windows executable. We then call the msfcli interface to start a listener handler for us. This listener handler will wait for connections, and when one is received, it will spawn a Meterpreter shell. On the attacker machine, we create a new Meterpreter stand-alone exe- cutable at O, copy the executable to the Windows XP machine, and run it under the user account bob. After the target executes the payload on the system payload. We can, for example, generate a payload. Then enter sessions -1 and sessions -i sessionid to return to your Meterpreter console.
As shown in the next list- ing, we enter use priv to load the priv extensions, which gets us access to the privileged module which may already be loaded. Next, we enter getsystem in an attempt to elevate our privilege to that of local system, or administra- tor. We then verify that we have admin privileges with the getuid command. A domain administrator account has logged on within the last 13 hours. When this account logs on, a Kerberos token is passed to the server single sign-on and is valid for a certain period of time.
You exploit this system via the valid and active Kerberos token, and through Meterpreter you successfully assume the role of a domain adminis- trator, without needing the password. Then you hack a domain administra- tor account or go after a domain controller. This is probably one of the easiest ways to gain access into a system and just another example of why Meterpreter is so useful. In some cases, ps may not list a running process running as a domain administrator. We can leverage incognito to list available tokens on the system as well.
When performing a penetration test, we should check the output of both ps and icognito because the results may vary. INXihazdomainadmin user account at O. Now we can pretend to be someone else. Our domain controller is In this case, that would be the IP address of a domain controller.
See a Problem?
The implications for this attack are devastating: Essentially, the Kerberos token on any system that a domain administrator logs into can be assumed and used to access the entire domain. This means that every server on your network is your weakest link! Pivoting onto Other Systems Pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console.
For example, if an attacker were to compromise one system, he could use pivoting to compromise other systems on the same network or to access systems to which he could not otherwise route traffic, for whatever reason. You compromise a system through a vulnerability and have a Meterpreter console to the internal network. Pivoting will allow you to attack multiple systems on the internal network through the Internet, using the Meterpreter console.
WOOT! Metasploit: A penetration testers guide hitting the shelf - TrustedSec
These scripts offer additional functionality that we can use within Meterpreter. The specific exploit here is a Samba-based heap overflow, which would be vulnerable on our Metasploitable machine. We are leveraging the pivoting attack through Metasploit to pass communica- tions through our exploited machine to the target machine that resides on the local subnet. In this case, if the heap overflow is successful, we should be presented with a reverse shell from In the preceding examples, we used the route add command after we had compromised the system.
To run a script from the Meterpreter console, enter run scriptname. The script will either execute or provide additional help on how to run it. Should you want to use an interactive remote GUI on the system, you can use the VNC protocol to tunnel the active desktop communications and interact with the GUI desktop on the target machine. But in some cases, the system may be locked and you may be unable to access it.
Never fear: Metasploit has us covered. In the following example, we issue the run vnc command, which installs a VNC session on the remote system. As a result, a VNC window should appear, showing us the target desktop. Migrating a Process Often, when we are attacking a system and exploiting a sendee such as Inter- net Explorer, if the target user closes the browser, the Meterpreter session is also closed and we lose our connection to the target.
In such cases, we can run the killav script to stop the processes preventing our tasks from running. Administrator : e52cacl9a9aa3bl08f3fa6cb6df7eaee8fbll7ad06bddbc: : : Viewing All Traffic on a Target Machine To see all traffic on a target, we can run a packet recorder. Everything cap- tured by packetrecorder is saved in the. If this is a reverse connection, you can set intervals for the target to connect back to the attacker machine. If you forget to do this, any attacker can also gain access to the system without authentication!
In the following listing, we run persistence and tell Windows to autostart the agent at boot time -X , wait 50 seconds -i 50 before connection retries, run on port -p , and connect to IP Gen- erally, you can do this through Meterpreter or drop to a shell and remove it that way. If you feel more comfortable using a GUI, you can use run vnc and remove the script with regedit.
Note that the registry keys will change each time, so make sure that you document where Metasploit adds the registry keys. Leveraging Post Exploitation Modules As mentioned earlier, the Meterpreter scripts are slowly being converted to post exploitation modules. The move to post exploitation modules will finally give a fully consistent standard and format to the Metasploit modules. In the past, Meterpreter scripts used their own format, which was very different from the way other modules behaved.
One added benefit of moving the modules to the same format is the ability to perform the same attack on all sessions available. Suppose, for example, that you have 10 open Meterpreter shells. In the traditional fashion, you would need to run hashdump on each or write custom scripts to query through each console. In the new format, you would be able to interact with each session and perform the hashdump on multiple systems if needed.
This is useful if we use a command shell payload as an initial stager and then find that this newly exploited system would make the perfect launching pad for further attacks Meterpreter 95 into the network. If you had already executed the exploit command at this point, you could simply press CTRL-Z and run the session in the background. For example, in the following listing, we ll drop into an interactive Ruby shell irb , available through Meterpreter.
The irb shell allows us to interact directly with Meterpreter through Ruby-based syntax. In this example, we simply called the user The implications are huge: Railgun gives you the same capabilities as a native Win32 application with full access to the Windows API. Meterpreter is a continuously evolving tool with an enormous amount of support for scripts and additions. Once you become comfortable with the overall interface, you will be able to master anything new. In Chapter 16, you will learn how to cre- ate your own Meterpreter scripts from scratch and how the overall structure of a Meterpreter script is designed.
Most antivirus software uses signatures to identify aspects of malicious code that are present in a sampling of malicious software. These signatures are loaded into antivirus engines and then used to scan disk storage and run- ning processes for matches. When a match is found, the antivirus software takes certain steps to respond to the situation: Most quarantine the binary or kill the running process.
As you might imagine, this model has scaling issues. For one, the amount of malicious code in the wild means that an antivirus product loaded with signatures can check files only so quickly for matching signatures. Also, the signatures must be specific enough to trigger only when they encounter truly malicious programs, not legitimate software.
This model is relatively easy to implement, yet it provides limited success in practice. That being said, a lot of money is being made by antivirus publishers, and many smart and talented people work in the industry. If you plan to use a payload that is not custom built, you can expect that antivirus software will detect it. To evade antivirus, we can create unique payloads to run on an antivirus software-protected system that will not match any of the available signatures.
When we send a payload as part of an exploit, most antivirus programs will not detect that it has been run on the target. Consider the sorts of characteristics that might trig- ger antivirus software, and try to use the techniques presented here to change sections of code so that they no longer match the antivirus signatures. Because it can take some time and multiple tries to circumvent certain antivirus engines, before we try to deploy a payload, we check the antivirus solution to make sure the payload gets past it before we deploy it on the target.
Avoiding Detection Encoding with MSFencode One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary.
Then, when the executable is run, msfencode decodes the original code into memory and exe- cutes it. You can use msfencode -h to see a list of msfencode usage options. Of the msfencode options, the encoder formats are among the most important. For a list of encoder formats, we use msfencode -1, as shown next. Notice that differ- ent encoders are used for different platforms, because, for example, a Power PC PPC encoder will not operate correctly on an x86 platform because of differences in the two architectures.
The response tells us that it is. Unfortunately, after the payload2. Within the Framework, we can get better results through multi-encoding, which allows the payload to be encoded several times to throw off antivirus programs that check for signatures. Of course, the payload that an antivirus product will flag is a mystery: Every time you generate a payload, the same antivirus program can flag it once and miss it another time. Avoiding Detection It is recommended that you test your script using an evaluation version of a product to see if it bypasses the antivirus software prior to using it in a penetration test.
We are using a total of 17 encoding loops in an attempt to circumvent the antivirus software. And, as you can see in Figure , we have successfully slipped our payload past the antivirus engine. Although this template is changed on occasion, antivirus vendors still look for it when building signa- tures.
However, msfencode now supports the use of any Windows executable in place of the default executable template via the -x option. Launching a Payload Stealthily For the most part, when a targeted user launches a backdoored executable such as the one we just generated, nothing will appear to happen, and that can raise suspicions. The -k flag configures the payload to launch in a separate thread from the main executable so the application will behave normally while the payload is being executed. Now, as shown in Figure , when this executable is processed with AVG, it comes back clean and should execute while still presenting us with a shell!
This option may not work with all executables, so be sure to test yours before deployment. If you choose a GUI-based application and do not specify the -k Chapt er 7 flag, when the payload is executed, the target will not see a console window. Paying attention to these little details can help you remain stealthy during an engagement. Packers Packers are tools that compress an executable and combine it with decom- pression code.
When this new executable is run, the decompression code re-creates the original executable from the compressed code before execut- ing it. This usually happens transparently so the compressed executable can be used in exactly the same way as the original. The result of the packing pro- cess is a smaller executable that retains all the functionality of the original.
- Fermentation microbiology and biotechnology.
- Be Worshipful. Glorifying God for Who He Is.
- Globalization and Economic Nationalism in Asia.
- The industrial information technology handbook.
As with msfencode, packers change the structure of an executable. How- ever, unlike the msfencode encoding process, which often increases the size of an executable, a carefully chosen packer will use various algorithms to both compress and encrypt an executable. Type 'upx--help' for more detailed help. You can see at 0 that UPX compresses our payload In our tests, only 9 of 42 antivirus vendors detected the LfPX-packed binaries.
MSF VENOM In this chapter we cover only the msfpayload and msfencode utilities, but there is an additional tool called msfvenom that combines the functionalities of msfpayload and msfencode in a simpler-to-use interface. Msfvenom is not covered in detail in this book see Appendix B , but it should be very easy to use after you become familiar with msfpayload and msfencode.
As of this writing, the methods and processes documented in this chapter work successfully; however, experience has shown that even a few months can bring major changes in how antivirus evasion is accomplished. Antivirus evasion, like all pen- etration testing skills, needs to be practiced and requires dedicated research to help you ensure success in your engagements. When one avenue of attack becomes too difficult to penetrate, attackers can find new and easier methods for attack- ing their targets. Client-side attacks were the next evo- lution of attacks after network defenses became more prominent.
These attacks target software commonly installed on computers in such programs as web browsers, PDF readers, and Microsoft Office appli- cations. Because these programs are commonly installed on computers out of the box, they are obvious attack vectors for hackers. If you can bypass all the protective countermeasures a company has in place and infiltrate a network by tricking a user into clicking a malicious link, you have a much better chance of achieving a compromise. Suppose, for example, that you are performing a covert penetration test against a corpo- rate target using social engineering.
You decide that sending a phishing email to targeted users will present your best chance of success. You harvest email accounts, names, and phone numbers; browse social-networking sites; and create a list of known employees. Your malicious email instructs the email recipients that payroll information needs to be updated; they need to click a link a malicious link in the email to do this. This scenario is a common technique regularly leveraged in both pene- tration tests and actual malicious attacks. It is often easier to attack via users than it is to exploit Internet-facing resources.
Most organizations spend a sig- nificant amount of money protecting their Internet-facing systems with tools such as intrusion prevention systems IPSs and web application firewalls, while not investing nearly as much in educating their users about social- engineering attacks. In March , RSA, a well-known security company, was compromised by an attacker leveraging this same process. A malicious attacker sent an extremely targeted spear-phishing email that was crafted specifically for an Adobe Flash zero-day vulnerability.
Spear-phishing is an attack whereby users are heavily researched and targeted rather than randomly chosen from a company address book. Browser-based exploits are important techniques, because in many organiza- tions, users spend more time using their web browsers than using any other applications on their computers. Consider another scenario: We send an email to a small group at an organization with a link that each user will click. The users click the link, and their browsers open to our website, which has been specially crafted to exploit a vulnerability in a certain version of Internet Explorer.
On our end, access would be gained via a payload Meterpreter, for example running within the context of the user who visited the site. Note one important element in this example: If the target user were run- ning as an administrator, the attacker we would do the same. Client-side exploits traditionally run with the same permissions and rights as the target they exploit. Often this is a regular user without administrative privileges, so we would need to perform a privilege-escalation attack to obtain additional access, and an additional exploit would be necessary to elevate pr ivileges.
We could also potentially attack other systems on the network in hopes of gain- ing administrative-level access. Consider your network situation: Is your important data accessible via user accounts? Or is it accessible only to the administrator account? In browser exploits, the most traditional way to gain remote code execution is through an exploitation technique called heap spraying.
The application will allo- cate whatever memory is necessary to complete whatever task is at hand. The location of memory allocated at runtime is not known in advance, so as attackers, we would not know where to place our shellcode. NOPs are covered in detail in Chapter 15, but we'll cover the basics here because they are important to understanding how heap spraying works.
The heap spraying technique involves filling the heap with a known repeating pattern of NOP slides and your shellcode until you fill the entire memory space with this known value. The attacker fills large blocks of memory with NOP slides and shellcode directly after them. When program execution flow is altered and randomly jumps somewhere into memory, there is a good chance of hitting a NOP slide and eventually hitting the shellcode. Instead of looking for a needle in a haystack — that is, the shellcode in memory — heap spraying offers an 85 to 90 percent chance of the exploit being successful.
This technique changed the game in browser exploitation and in the reliability of exploiting browser bugs. A 90 in Intel x86 assembly is a NOP. The rest of the code is the payload, such as a reverse shell or a Meterpreter shell. Penetra- tion testers leverage debuggers on a regular basis to identify zero-day vulner- abilities and to understand how an application works and how to attack it.
A number of debuggers are out there, but our personal preference going forward and used in later chapters is Immunity Debugger. We recommend that you take a look at the basics of Immunity Debugger before proceeding. As you learned in previous Chapter 8 chapters, a bind shell simply listens on a port on a target machine to which we can connect. We are concerned only with the stage 1 shellcode, because Metasploit will handle sending the second stage for us when we con- nect to it.
Copy and paste the shellcode from stage 1 into a text editor of your choice. Now you have a bind shell with some NOPs in front of it for testing. You should see a number of assembly instructions in the main window the largest one. Left-click the first instruction on the screen, and hold down SHIFT while left- clicking to highlight about instructions below it. This will paste the assembly instructions from the example into the Immunity Debugger window.
Remember that we are doing this to identify how NOPs work and how assembly instructions are executed. You can see in Figure that a number of NOPs are inserted; if you were to scroll down, you would see your shellcode. When we first exported our shellcode in a bind tcp format, the last instruc- tion through stage 1 ended with ecc3. Locate the last set of memory instructions we added ending in ecc3.
Show related SlideShares at end. WordPress Shortcode. Published in: Education. Full Name Comment goes here. Are you sure you want to Yes No. Be the first to like this. No Downloads. Views Total views. Actions Shares. Embeds 0 No embeds.
Related Metasploit: The Penetration Testers Guide
Copyright 2019 - All Right Reserved