Armitage and Metasploit Penetration Testing Lab Raphael Mudge [email protected] Twitter: @armitagehacker Armitage and Metasploit Penetration Testing Lab Penetration Testing.
Download ReportTranscript Armitage and Metasploit Penetration Testing Lab Raphael Mudge [email protected] Twitter: @armitagehacker Armitage and Metasploit Penetration Testing Lab Penetration Testing.
Armitage and Metasploit Penetration Testing Lab
Raphael Mudge [email protected]
Twitter: @armitagehacker
Armitage and Metasploit Penetration Testing Lab
Penetration Testing
Overview Personal Introduction Penetration Testing Process Course Overview
Introduction – R. Mudge Previous Experiences Penetration Tester Regional CCDC Red Team x 5 USAF Security Researcher Armitage for Metasploit Other Experiences WordPress Grammar Checker Programming Language
Penetration Testing
What?
Test security by doing what bad guys might do
Penetration Testing
Why? Motivate desire to make changes to improve security
Penetration Testing
How? Demonstrate risk
Types of Penetration Tests Open Source Research Network Social Engineering Wireless Web Applications Mobile
Penetration Testing Process Information Gathering Reconnaissance Access Post-Exploitation
Network Attack Process
Motivation
Motivation
Course overview 1.
Penetration Testing 2.
Metasploit 3.
Getting Access 4.
Post Exploitation 5.
Maneuver
Goals • • • Install Metasploit Get Access to Hosts Post-exploitation
Learning Check Who is Raphael Mudge?
Why Penetration Test?
What are we doing today?
Armitage and Metasploit Penetration Testing Lab
Metasploit
Overview What is Metasploit?
Modules Metasploit Console Armitage
What is Metasploit?
What is Metasploit?
Metasploit Linux Modules Programs msfconsole /bin/bash RPC Daemon sshd
Modules
Modules
Modules and Magic the Gathering © 1995-2011 Wizards of the Coast
Module Organization
Metasploit Command Sets Metasploit Console Manage Database Manage Sessions Configure and Launch Modules Meterpreter Post-exploitation activities
Console Cheat Sheet
use module - start configuring module show options - show configurable options set varname value - set option exploit - launch exploit module run - launch non-exploit sessions –i n - interact with a session help command - get help for a command
msfconsole Open ended Works in many places One task / host at a time
What is Armitage?
A GUI for Metasploit Goal: Avoid this…
Armitage
Armitage Sightings…
Console Demo
Learning Check What is a session?
What is a payload?
What do exploits do?
Armitage and Metasploit Penetration Testing Lab
Getting Access
Overview Remote Exploits Exploit-free Attack Client-side Exploits
Network Attack Process
Remote Attack 1.
2.
3.
4.
5.
NMap Scan Analyze Scan Data Choose an Exploit Select a Payload Launch Exploit!
Which exploit do I use? Answer: These.
Name
ms08_067_netapi ms09_050_smb2_negot..
ms03_026_dcom
Where
Windows XP/2003 era Windows Vista SP1/SP2 Windows 2000
Why did my exploit fail?
Firewall Non-vulnerable software Service is hung The universe is taunting you Non-reliable exploit Bad day Mis-configured exploit Could not establish session
Exploit-free Attack 1.
Choose a payload 2.
Generate executable 3.
Set up a multi/handler
Payloads
Name
windows/meterpreter/reverse_tcp windows/meterpreter/reverse_tcp_allports windows/meterpreter/reverse_https java/meterpreter/reverse_tcp linux/x86//shell_reverse_tcp osx/x86/shell_reverse_tcp
Note
Connects to one port Tries every ports in sequence Speaks HTTPS (!!!!) Any platform with Java
Client-side Attack 1.
2.
3.
4.
Fingerprint sample of victims Choose an Exploit Launch Expoit Spam victims (or wait for them)!
Which exploit do I use? Answer: These.
Name
java_signed_applet ms11_003_ie_css_import ie_createobject
Where
Social engineering; any where Java applets run Internet Explorer 7/8 (requires .NET) Internet Explorer 6
Learning Check Which module listens for a connection from a payload?
Which exploit works against Windows XP SP2, port 445?
Armitage and Metasploit Penetration Testing Lab
Post-Exploitation
Overview Command Shell Privilege Escalation Spying on the User File Management Process Management Post Modules and Loot
Network Attack Process
Demo Demo Demo
Learning Check Which Meterpreter command takes a screenshot?
Which Meterpreter command is most useful to you?
Armitage and Metasploit Penetration Testing Lab
Maneuver
Overview Pivoting Scanning Attacking
Network Attack Process
Demo Demo Demo
Learning Check Which module gives a session on a Windows host using credentials or hashes?
Which scan should you do before setting up a pivot?
Network Attack Process
Armitage and Metasploit Penetration Testing Lab
Resources
Free Metasploit Course
http://www.offensive-security.com/metasploit-unleashed
Metasploit Homepage
http://www.metasploit.com
Armitage Homepage
http://www.fastandeasyhacking.com
BackTrack Linux
http://www.backtrack-linux.org/
Pen Test & Vuln Analysis Course @ NYU
http://pentest.cryptocity.net
Armitage and Metasploit Penetration Testing Lab
Raphael Mudge [email protected]
Twitter: @armitagehacker