Metasploit Demo

1
Metasploit Demo

• Matt Warnock
• BUS 504

2
Metasploit Framework Overview

• Open source tool
• Used for
• Penetration testing
• IDS Signature Development
• Exploit Research
• Consists of
• Web server
• Console
• Signatures

3
Overview continued

• Runs on any operating system
• Source code for Linux/Unix/MacOS X
• Portable to Windows via CYGWIN
• Allows anyone to exploit usually root certain
  machines with only an IP address and a basic
  background of the system
• Requires no knowledge of the software bug, or
  exploit machine code

4
Overview cont
point click
5
Metasploit Framework Overview

• Open source tool
• Used for
• Penetration testing
• IDS Signature Development
• Exploit Research
• Consists of
• Web server
• Console
• Signatures

6
Penetration Testing Overview

• Active evaluation of a system or network of
  systems
• Assume the role of a black hat hacker or bad
  guy
• Often uses the same tools as hackers

7
Penetration Overview Continued

• Metasploit brings together many of the tools and
  techniques used by hackers

8
Metasploit does not do it all

• While metasploit can be used to compromise many
  system architectures (Sun/Intel/Mac) as well as
  many Operating Systems (Windows, Solaris, Linux)
  it does not do everything
• User must still do recon and/or vulnerability
  scans

9
WARNINGS

• Metasploit is very powerful, and very dangerous
• This is a briefing of a demo I did on my own
  systems network, not a live demo
• I used VMWare to isolate the operating system
  from other systems and the internet
• Use of this an any unauthorized way will get you
  fired/arrested/deported/smited by God, etc...

10
Installation

• Installed on both Windows and Linux with same
  results/ease of use
• Uses a web server as interface
• Signature updates downloaded automatically
• Started the web server logged in

11
Web Interface
12
Web Interface
List of available Exploits
13
Web Interface
Filter by Service/OS
14
Web Interface
Sessions
15
Demo

• System 1 Linux
• Used Redhat 8 Released Sept 2002, still in wide
  use
• Running services samba (file sharing), and SSH

16
Linux system - Port scan
17
Linux system - Port scan

• Nmap reveals several things
• Services SSH, rpcbind, filesharing
• Operating System Linux, kernel version 2.4.6
  2.4.26, or 2.4.9, 2.6.5 2.6.11
• Doesnt tell us the distribution, but we can guess

18
Demo

• Select linux from exploit filters

19
(No Transcript)
20
Demo

• Filesharing (port 139) is running on a linux
  machine
• Assume samba is running
• Choose samba trans2open from list of exploits

21
(No Transcript)
22
Samba versions
23
Operating Systems
24
(No Transcript)
25
Available payloads
26
Demo

• Payloads
• Add User
• Bind shell
• Exec execute one command
• And many more
• Chose linux_ia32_bind

27
(No Transcript)
28
Target IP
29
Check target
30
Run exploit
31
Demo

• I had little success with check option.
• Most of the time, metasploit would say it was not
  vulnerable, however, it was
• Run Exploit

32
(No Transcript)
33
Click here to run
34
(No Transcript)
35
Exploit run successfully
36
Click here to view
37
(No Transcript)
38
Access to shell w/ root priv
39
View shadow file w/ password hashes
40
(No Transcript)
41
Wrote to files on webserver
42
Demo
43
Demo
My text is now on the web server
44
(No Transcript)
45
Full write access to root home directory
46
Demo

• Shell access opens up the doors to any other
  service
• Steal passwords
• Add/delete users
• Alter/disrupt services
• Download files
• Change files
• Change logs
• Full access to any other privilege services on
  other machines

47
Demo

• No entries of exploit left in the logs

48
System 2

• Windows 2000 Adv Server
• Released February 2000, still supported by
  Microsoft and in wide use
• Running DEFAULT services
• File sharing
• Web server
• MANY other services (see nmap scan)

49
Windows system - Port scan
50
Windows system - Port scan

• Nmap reveals several things
• Services Just about everything you can think of
• Operating System Windows 95/98/ME/2000/XP
• Doesnt tell us the version, but based on the
  number of services, we can guess Windows NT or
  2000 Server

51
Demo

• Select Win2000 from exploit filters

52
(No Transcript)
53
Demo

• Chose IIS 5.0 WinDAV ntdll.dll Overflow

54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
Full access to Windows System files
58
(No Transcript)
59
Full access to Web server files
60
Demo

• After issuing several commands, the session
  locked up
• I also tried viewing the web page on this system

61
(No Transcript)
62
Web server locked up after exploit
63
Demo

• As system administrator, I viewed system logs

64
(No Transcript)
65
Service terminated Obvious to system administrator
66
(No Transcript)
67
No security logs
68
Demo
69
(No Transcript)
70
Service cannot be restarted
71
Demo

• Again, full access to the machine
• Lots of evidence left behind

72
Summary

• Metasploit is very easy to use, and very powerful
• Web interface allows the scans to be run from any
  system, on any operating system
• Evidence may or may not be left behind on the
  system
• IDS/IPS will sense these exploits
• Only contains old well known exploits

73
Questions