Title: Metasploit Demo
1Metasploit Demo
2Metasploit Framework Overview
- Open source tool
- Used for
- Penetration testing
- IDS Signature Development
- Exploit Research
- Consists of
- Web server
- Console
- Signatures
3Overview continued
- Runs on any operating system
- Source code for Linux/Unix/MacOS X
- Portable to Windows via CYGWIN
- Allows anyone to exploit usually root certain
machines with only an IP address and a basic
background of the system - Requires no knowledge of the software bug, or
exploit machine code
4Overview cont
point click
5Metasploit Framework Overview
- Open source tool
- Used for
- Penetration testing
- IDS Signature Development
- Exploit Research
- Consists of
- Web server
- Console
- Signatures
6Penetration Testing Overview
- Active evaluation of a system or network of
systems - Assume the role of a black hat hacker or bad
guy - Often uses the same tools as hackers
7Penetration Overview Continued
- Metasploit brings together many of the tools and
techniques used by hackers
8Metasploit does not do it all
- While metasploit can be used to compromise many
system architectures (Sun/Intel/Mac) as well as
many Operating Systems (Windows, Solaris, Linux)
it does not do everything - User must still do recon and/or vulnerability
scans
9WARNINGS
- Metasploit is very powerful, and very dangerous
- This is a briefing of a demo I did on my own
systems network, not a live demo - I used VMWare to isolate the operating system
from other systems and the internet - Use of this an any unauthorized way will get you
fired/arrested/deported/smited by God, etc...
10Installation
- Installed on both Windows and Linux with same
results/ease of use - Uses a web server as interface
- Signature updates downloaded automatically
- Started the web server logged in
11Web Interface
12Web Interface
List of available Exploits
13Web Interface
Filter by Service/OS
14Web Interface
Sessions
15Demo
- System 1 Linux
- Used Redhat 8 Released Sept 2002, still in wide
use - Running services samba (file sharing), and SSH
16Linux system - Port scan
17Linux system - Port scan
- Nmap reveals several things
- Services SSH, rpcbind, filesharing
- Operating System Linux, kernel version 2.4.6
2.4.26, or 2.4.9, 2.6.5 2.6.11 - Doesnt tell us the distribution, but we can guess
18Demo
- Select linux from exploit filters
19(No Transcript)
20Demo
- Filesharing (port 139) is running on a linux
machine - Assume samba is running
- Choose samba trans2open from list of exploits
21(No Transcript)
22Samba versions
23Operating Systems
24(No Transcript)
25Available payloads
26Demo
- Payloads
- Add User
- Bind shell
- Exec execute one command
- And many more
- Chose linux_ia32_bind
27(No Transcript)
28Target IP
29Check target
30Run exploit
31Demo
- I had little success with check option.
- Most of the time, metasploit would say it was not
vulnerable, however, it was - Run Exploit
32(No Transcript)
33Click here to run
34(No Transcript)
35Exploit run successfully
36Click here to view
37(No Transcript)
38Access to shell w/ root priv
39View shadow file w/ password hashes
40(No Transcript)
41Wrote to files on webserver
42Demo
43Demo
My text is now on the web server
44(No Transcript)
45Full write access to root home directory
46Demo
- Shell access opens up the doors to any other
service - Steal passwords
- Add/delete users
- Alter/disrupt services
- Download files
- Change files
- Change logs
- Full access to any other privilege services on
other machines
47Demo
- No entries of exploit left in the logs
48System 2
- Windows 2000 Adv Server
- Released February 2000, still supported by
Microsoft and in wide use - Running DEFAULT services
- File sharing
- Web server
- MANY other services (see nmap scan)
49Windows system - Port scan
50Windows system - Port scan
- Nmap reveals several things
- Services Just about everything you can think of
- Operating System Windows 95/98/ME/2000/XP
- Doesnt tell us the version, but based on the
number of services, we can guess Windows NT or
2000 Server
51Demo
- Select Win2000 from exploit filters
52(No Transcript)
53Demo
- Chose IIS 5.0 WinDAV ntdll.dll Overflow
54(No Transcript)
55(No Transcript)
56(No Transcript)
57Full access to Windows System files
58(No Transcript)
59Full access to Web server files
60Demo
- After issuing several commands, the session
locked up - I also tried viewing the web page on this system
61(No Transcript)
62Web server locked up after exploit
63Demo
- As system administrator, I viewed system logs
64(No Transcript)
65Service terminated Obvious to system administrator
66(No Transcript)
67No security logs
68Demo
69(No Transcript)
70Service cannot be restarted
71Demo
- Again, full access to the machine
- Lots of evidence left behind
72Summary
- Metasploit is very easy to use, and very powerful
- Web interface allows the scans to be run from any
system, on any operating system - Evidence may or may not be left behind on the
system - IDS/IPS will sense these exploits
- Only contains old well known exploits
73Questions