Metasploit Demo - PowerPoint PPT Presentation

1 / 73
About This Presentation
Title:

Metasploit Demo

Description:

Nmap reveals several things. Services SSH, rpcbind, filesharing ... MANY other services (see nmap scan) 49. Windows system - Port scan. 50. Windows system ... – PowerPoint PPT presentation

Number of Views:355
Avg rating:3.0/5.0
Slides: 74
Provided by: warno
Category:
Tags: demo | metasploit | nmap

less

Transcript and Presenter's Notes

Title: Metasploit Demo


1
Metasploit Demo
  • Matt Warnock
  • BUS 504

2
Metasploit Framework Overview
  • Open source tool
  • Used for
  • Penetration testing
  • IDS Signature Development
  • Exploit Research
  • Consists of
  • Web server
  • Console
  • Signatures

3
Overview continued
  • Runs on any operating system
  • Source code for Linux/Unix/MacOS X
  • Portable to Windows via CYGWIN
  • Allows anyone to exploit usually root certain
    machines with only an IP address and a basic
    background of the system
  • Requires no knowledge of the software bug, or
    exploit machine code

4
Overview cont
point click
5
Metasploit Framework Overview
  • Open source tool
  • Used for
  • Penetration testing
  • IDS Signature Development
  • Exploit Research
  • Consists of
  • Web server
  • Console
  • Signatures

6
Penetration Testing Overview
  • Active evaluation of a system or network of
    systems
  • Assume the role of a black hat hacker or bad
    guy
  • Often uses the same tools as hackers

7
Penetration Overview Continued
  • Metasploit brings together many of the tools and
    techniques used by hackers

8
Metasploit does not do it all
  • While metasploit can be used to compromise many
    system architectures (Sun/Intel/Mac) as well as
    many Operating Systems (Windows, Solaris, Linux)
    it does not do everything
  • User must still do recon and/or vulnerability
    scans

9
WARNINGS
  • Metasploit is very powerful, and very dangerous
  • This is a briefing of a demo I did on my own
    systems network, not a live demo
  • I used VMWare to isolate the operating system
    from other systems and the internet
  • Use of this an any unauthorized way will get you
    fired/arrested/deported/smited by God, etc...

10
Installation
  • Installed on both Windows and Linux with same
    results/ease of use
  • Uses a web server as interface
  • Signature updates downloaded automatically
  • Started the web server logged in

11
Web Interface
12
Web Interface
List of available Exploits
13
Web Interface
Filter by Service/OS
14
Web Interface
Sessions
15
Demo
  • System 1 Linux
  • Used Redhat 8 Released Sept 2002, still in wide
    use
  • Running services samba (file sharing), and SSH

16
Linux system - Port scan
17
Linux system - Port scan
  • Nmap reveals several things
  • Services SSH, rpcbind, filesharing
  • Operating System Linux, kernel version 2.4.6
    2.4.26, or 2.4.9, 2.6.5 2.6.11
  • Doesnt tell us the distribution, but we can guess

18
Demo
  • Select linux from exploit filters

19
(No Transcript)
20
Demo
  • Filesharing (port 139) is running on a linux
    machine
  • Assume samba is running
  • Choose samba trans2open from list of exploits

21
(No Transcript)
22
Samba versions
23
Operating Systems
24
(No Transcript)
25
Available payloads
26
Demo
  • Payloads
  • Add User
  • Bind shell
  • Exec execute one command
  • And many more
  • Chose linux_ia32_bind

27
(No Transcript)
28
Target IP
29
Check target
30
Run exploit
31
Demo
  • I had little success with check option.
  • Most of the time, metasploit would say it was not
    vulnerable, however, it was
  • Run Exploit

32
(No Transcript)
33
Click here to run
34
(No Transcript)
35
Exploit run successfully
36
Click here to view
37
(No Transcript)
38
Access to shell w/ root priv
39
View shadow file w/ password hashes
40
(No Transcript)
41
Wrote to files on webserver
42
Demo
43
Demo
My text is now on the web server
44
(No Transcript)
45
Full write access to root home directory
46
Demo
  • Shell access opens up the doors to any other
    service
  • Steal passwords
  • Add/delete users
  • Alter/disrupt services
  • Download files
  • Change files
  • Change logs
  • Full access to any other privilege services on
    other machines

47
Demo
  • No entries of exploit left in the logs

48
System 2
  • Windows 2000 Adv Server
  • Released February 2000, still supported by
    Microsoft and in wide use
  • Running DEFAULT services
  • File sharing
  • Web server
  • MANY other services (see nmap scan)

49
Windows system - Port scan
50
Windows system - Port scan
  • Nmap reveals several things
  • Services Just about everything you can think of
  • Operating System Windows 95/98/ME/2000/XP
  • Doesnt tell us the version, but based on the
    number of services, we can guess Windows NT or
    2000 Server

51
Demo
  • Select Win2000 from exploit filters

52
(No Transcript)
53
Demo
  • Chose IIS 5.0 WinDAV ntdll.dll Overflow

54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
Full access to Windows System files
58
(No Transcript)
59
Full access to Web server files
60
Demo
  • After issuing several commands, the session
    locked up
  • I also tried viewing the web page on this system

61
(No Transcript)
62
Web server locked up after exploit
63
Demo
  • As system administrator, I viewed system logs

64
(No Transcript)
65
Service terminated Obvious to system administrator
66
(No Transcript)
67
No security logs
68
Demo
69
(No Transcript)
70
Service cannot be restarted
71
Demo
  • Again, full access to the machine
  • Lots of evidence left behind

72
Summary
  • Metasploit is very easy to use, and very powerful
  • Web interface allows the scans to be run from any
    system, on any operating system
  • Evidence may or may not be left behind on the
    system
  • IDS/IPS will sense these exploits
  • Only contains old well known exploits

73
Questions
Write a Comment
User Comments (0)
About PowerShow.com