Metasploit: Advanced Ethical Hacking Tutorial

152 Views

7.1 Acquiring Metasploit

We're going to start working with a tool called Metasploit at this point. And before we can work with it of course we need to go get a copy. Now Metasploit is actually a tool that's used for exploit development and penetration testing. And we're going to do quite a bit of work in it. It actually started life as an open source project. And was created by a guy by the name of HD Moore and he's still involved in it. Although at this point it's actually owned by a company called Rapid7. Metasploit actually comes in a couple of different types. First of all there's The professional version which costs money in order to use. There's also however, the community version. So We can get the community version and that's free but there are some limitations with it. Now, the community version has a limitation of only allowing you to work with 32 hosts at a given time. Now, you can certainly do more than 32 hosts but you have to delete all of your results out of the Metasploit database Before you can move forward. So you could do a scan of 32 hosts, do the work that you wanted with it, get the results, and then you would have to go delete all of those results in order to start on the next 32. So as you can see here, it comes in both Windows and Linux 64 Bit. It's actually also part of A couple of penetration testing live CDs. So backtrack being one and the backtrack is the next one, and Rapid 7 i actually involved. In that as well and that's Kali Linux. And Kali Linux includes Backtrack a long with it. So the creators of Backtrack came up with this Kali Linux and it actually includes Metasploit and the folks behind Metasploit have been involved with Kali Linux a little bit and. So that's another way that you could actually get Metasploit is by either getting the older Backtrack or the new Kali Linux. So we're going to go get a copy of Metasploit at this point. And we're going to download it. And then we're going to install it. And we'll start work on All of the different things that we can do with Metasploit.

7.2 Setting Up Metasploit

At this point we've acquired Metasploit and now we're just going to do set up on it. Now I'm doing this set up under Linux although it's reasonably straight forward work pretty much the same under Windows. It's a pretty standard straight forward installation so I'm going to run the Metasploit installer I need to have administrative privileges, which is why I'm running the sudo command here. And i need the administrative privileges so that we can install in all the correct directories. So this This is a Java based installer. And you can see here that we're just going to do a pretty straight forward accept the agreement, forward, select where it's going to go. And it wants to know if I want to install Metasploit as a service. And yes I do. That's really going to give me access to The web interface on a regular basis. So as soon as the computer starts up the web interface is actually going to start. So, now at this point, metasploit is going to install all of the command line utilities which is primarily what we're going to be using It's also going to be installing the Web interface components as well and all it give you a look at the Web interface components once they are finished and we've got it up and running we'll take a quick look at the Web interface in an upcoming lesson but primarily we're going to be working with the command line tools. As we move forward doing the various things that we're going to be doing with Metasploit here. Do, we're just going to let Metasploit install. It's installing a pretty significant chunk of Files onto the file system here, so we're going to let that run. And we're going to go into how to use Metasploit coming up in upcoming lessons

7.3 Metasploit Web Interface

At this point we've got metasploit installed. Everything is up and running. It went through this configuration process where it does all of the database configuration and setup. And that takes some period of time. But we're not up and running. And we're in the web interface portion of metasploit. And you can see the very first thing it's doing is it's asking me to create a username. So I'm going to create a username. [BLANK-AUDIO] And I'm going to just give it my personal information. And now I'm going to create an account. So it's going to go set up that account for me. And that account is actually just for the web interface. And actually it's asking me to activate your Metasploit license. And that really also is just for the web interface. Even without the product key, I can get into the console or the CLI of the Application. And I can still use Metasploit. This product key actually is required for the web interface. So at this point I could go get product key and it's going to send me off to Rapid7 where it's going to ask me what one that I want to use. I'm going to get the community edition, which is the free version. And so it's filled some information for me. I am going to Give it some bogus phone Own information is I don't really want them calling me but I have to give them my email address so that they can send me the license cause the license is going to come by email at this point. So I filled in the form I've requested the product key once I get the product key by email I can activate the license. So this is an important part again If you want to use the Metasploit web interface and it's not necessary if you're just going to use console. So, at this point, I've actually got some workspaces here that I've created for Demonstration purposes inside the console and you can see how the web interface works we got all the pull downs here. I can do things like adding hosts to my work spaces or my projects. I can take a look at the vulnerabilities that are there and the captured data so when I get to the point that I have exploited Vulnerable systems. They maybe pulling down user information or some other types of details and that would get stored under Captured Data. You can see the Tasks and the Sessions and there's some other capabilities that metasploit has here. But this is really just the basics of the web interface and again I can still use the console without actually activating this product key, which I really need to effectively use the web interface.

7.4 Configuring Workspaces

We've got Metasploit installed at this point. And I want to talk a little bit about some ways of organizing all of your data that is going to be in Metasploit. So the thing that we're going to do is we're going to use work spaces. And work spaces. Or a way of organizing different projects into their own folders for example. Even though it's not really a folder, you can kind of think of it as a folder. So, what I want to do is, I'm going to add a workplace called "VTC". And let's take a look at some of the other things that we can do here. So I can list the workspace. If I were to just do this and type workspace VTC, now I would be in that workspace. I can delete workspaces, I can rename workspaces. In fact when I go to the web interface for metasploit, and I go to. The web interface here. What I'm going to get here is under projects, I'm going to get the work space there so You can see when I create a workspace, I actually get a project entry. And I've got a default project where I've got some hosts and when I do some Different things like run an MMets scan inside the VTC workspace, I will get some host there so it is a way of separating out the data that you have. So even though, I have some data in my default workspace if I were to do host here I would actually show nothing because I have got nothing in this workspace so it is a good way of segmenting data. Into different projects or different folders or different groups, however you want to think about it. It's a way of doing some data segmentation to keep all of the different things you're working on separate and distinct. So there's not overlap and you don't get confused by the hosts that are in one pentest versus the hosts that are in another pentest. So Workspaces are really good for keeping information organize and as you can see, when I do a change in the console here, the MSF console, it reflects in the web interface. And if I were to add a project in the web interface it would show up as a workspace here so Again, Workspace is really useful for organizing data. You can create, you can delete, you can rename, and you can put all of your data in the project where it belongs.

7.5 Running Nmap from Metasploit

Now that we've got the ability to do workspaces, we've got Metasploit installed, let's actually start loading up the workspace with some information about some systems that we've got. So first thing I want to do is change into my workspace. So I'm now in my workspace. Now what I can do here is I can do dbn map and what I'm going to do is some scanning of my network here. And the scans are going to be populated It into metasploit so I'm just going to do a scene scan here and I'm going to do 172.30.42.55 no I want to do the whole network here. So .0/24/ So this is really just calling in map and the DB suggests that we're going to store the results In the database. So this works exactly like the command line version of Nmap, where I can do a SynScan here, the -sS. If I were to do a TCP scan or a connect scan I would do -sT. The -O is going to give me the operating system version, if it can guess it. And then, of course, I've got my target there. So again this works exactly like in map does on the command line the difference here is that I'm actually going to get the results and store them in the database. So metasploit is calling in map and it's taking all of the Hosts that are responding and the ports that are open and it's going to store it in the Metasploit database, and of course, since we've changed into the workspace VTC it's going to store it in that workspace. So I've got other work spaces where I may do different things. And have Nessus results imported or other N Map scans. Those are all going to be separate. So I've got N Map going here. And again I could do a number of different scans. I could actually do an idle scan. From inside here. And I could store all of the results inside of Metasploit and still get that ability to do anonymous type scanning where the target doesn't actually see what's going on. So this will actually run for a little while. And when I'm done all I would have to do is type hosts And you could see the hosts that were showing up in the nmap scan, if I were to type services, you would see the services that were coming back. Actually in this case, let me kill this. And we haven't actually gotten anything back from nmap so Were to do services, I would show the ports that were open. You can see the host in the port, in the protocol, the name and the state of the port. So instead I'm just going to run N Map here, and I'm just going to let it go on the network. And We'll see in subsequent videos what's going on, and where we actually got some results from this scan and we'll be working with some of the data that we get back here.

7.6 Importing Nessus Results

Now that we've got the ability to do workspaces, we've got Metasploit installed, let's actually start loading up the workspace with some information about some systems that we've got. So first thing I want to do is change into my workspace. So I'm now in my workspace. Now what I can do here is I can do dbn map and what I'm going to do is some scanning of my network here. And the scans are going to be populated It into metasploit so I'm just going to do a scene scan here and I'm going to do 172.30.42.55 no I want to do the whole network here. So .0/24/ So this is really just calling in map and the DB suggests that we're going to store the results In the database. So this works exactly like the command line version of Nmap, where I can do a SynScan here, the -sS. If I were to do a TCP scan or a connect scan I would do -sT. The -O is going to give me the operating system version, if it can guess it. And then, of course, I've got my target there. So again this works exactly like in map does on the command line the difference here is that I'm actually going to get the results and store them in the database. So metasploit is calling in map and it's taking all of the Hosts that are responding and the ports that are open and it's going to store it in the Metasploit database, and of course, since we've changed into the workspace VTC it's going to store it in that workspace. So I've got other work spaces where I may do different things. And have Nessus results imported or other N Map scans. Those are all going to be separate. So I've got N Map going here. And again I could do a number of different scans. I could actually do an idle scan. From inside here. And I could store all of the results inside of Metasploit and still get that ability to do anonymous type scanning where the target doesn't actually see what's going on. So this will actually run for a little while. And when I'm done all I would have to do is type hosts And you could see the hosts that were showing up in the nmap scan, if I were to type services, you would see the services that were coming back. Actually in this case, let me kill this. And we haven't actually gotten anything back from nmap so Were to do services, I would show the ports that were open. You can see the host in the port, in the protocol, the name and the state of the port. So instead I'm just going to run N Map here, and I'm just going to let it go on the network. And We'll see in subsequent videos what's going on, and where we actually got some results from this scan and we'll be working with some of the data that we get back here.

7.7 Scanning with Metasploit

So far we've actually used mmap inside and that's really good to do some port scanning. And when you've done a port scan you'll get a list of ports that are back. What we may want to do though is we may actually want to check for services Across the entire network. So there are some scanners that are built into Metasploit. And I can make use of those scanners and find the services that are on the network. And maybe do some simple things with them. In terms of trying to exploit some vulnerabilities. So right now what I want to do is, I want to use the smb2 scanner. So, I'm going to do that now, I'm going to use that scanner, now I could just paste it back, it saves me actually Having to type it in. So if I take a look at my options. I can do a set R hosts. And now I want to do 172.30.42.0/24. You can see That will take us CIDR identifier. And this is my CIDR identifier. What this says basically is do everything on the network that has a netmask of 255.255.255.0. So 24 bits of subnet And now I'm going to run the scanner and it's actually going to go take a look at all the hosts on the network and see wether we can come back with With anything that is running smb2. So we're looking basically for systems with a port of 445 open. Now if I scroll back up here you can see there are a lot of different services that there are scanners written for. So We can do some SSH login checking. We can do public key login scanner. We can do some SNMP scanning. We can do some domain enumeration and version detection with SMB. We can look for Something called Modbus which is used in scada networks. We can do some SIP scanning to see whether there's services out there that are using the session initiation Protocol for VOIP, or doing video streaming. That's sort of thing. So there's a lot of different services that are just built into metasploit where we can do scanning of them and determine whether they're services that are available if we happen to have a particular exploit in mind. For example, We could do a scan for potenially vulenerable systems and then try to run the exploit against those systems. So you can see at this point that we've scanned about 10% of the network. We've looked at 26 Out of 256 hosts, and this is actually going to take some time to run all the way through. But this is how you would do some scanning with Metasploit. You would use one of the scanners that are in the auxiliary tree and you just pick the scanner type that you want. You set the options and then you just tell it to go run, and it goes off. And it does the scan for you, comes back with the results. And then you can go from there to doing exploits if you've actually got an exploit that you want to run.

7.8 Looking at Vulnerabilities

So we've imported some results. We've done a little bit of scanning using Metasploit. So we've actually got some data in our database and we can take a look at the hosts that we've got. At this point we've actually popped up Three devices. One of them was from the SMB scan that we did. And the other two were from the Nessus scan. So I can take a look at the ports that we have found to be open. Called services. And Now I've got the list of all the ports and you can see 64 found port 445, running SMB2. That was opened that again came from the SMB scan that we performed. So now, I've got my hosts in here. I've got the services that are listening Actually want to take a look at the vulnerabilities that I've got. So I can list the vulnerabilities that we have found and here we've actually got a lot of vulnerabilities because Nexus turned up a lot of vulnerabilities from the scan that was performed And now, I've got the challenge of going and digging through all of these vulnerabilities to see if I can find anything that's useful. So again, we've actually got a lot of data stored in the database here in Metasploit, and I've got all of this listed by host And the time that it was generated and the name of the vulnerability, and of course, some references as well. And the references, hopefully will give us some ability to do a little bit of digging to see if we can find some vulnerabilities that we may be able to make use of here within Metasploit. Now what we probably want to be looking for here is like CVEs, for example. Even better than that is something like this MS06040. So that's something that we could do some searches on. Now, this is how the vulnerabilities come listed here in Metasploit. It's just this long list And it takes some time to go digging through to see if we can find particular vulnerabilities that we may be able to make use of. So right now, it's just some chunking through all of the data that we've got and see if we can find something that we actually want to go searching for. And we'll go searching for vulnerability and I'll show you how to go about doing that in the next video.

7.9 Searching for Vulnerabilities

So we've done some looking at the vulnerabilities in metasploit. Now I want to do a little bit of searching on them so one thing I can actually do here is I could just do a little bit of searching within the Internet and do a little bit of Google searching to figure out what some some of these vulnerabilities actually are. So ms08067 for example. Let's just take a look at that one. I'm going to pop open Firefox here. And we can just take a look at the vulnerability ms08067. So MS08-067. I can see the security bulletin on it. So we can take a look on that. And we could see that Microsoft actually views this as a critical vulnerability And here's all of the systems that actually are vulnerable to it. So we've got Windows 2000 with Service Pack 4, Windows XP with Service Pack 2 and 3. So it looks like this is a pretty wide ranging vulnerability. Maybe something that we want to take a little bit of a closer look at. So I've got it here. And we've shown it as a vulnerability on the system 42.17. So let's see if we've actually got a Metasploit vulnerability for it. So what I want to do is search ms08. -067. And Metasploit will search all of it's known vulnerabilities and the things that it's actually got exploits for. And see whether it has an exploit for that particular vulnerability. So in this case we actually have an exploit. So now what we can do Is we can actually go use this exploit and exploit the target host with it. And we'll run the exploit coming up next.

7.10 Running Exploits

So at this point we've actually identified a vulnerability that we want to take a look at. So what I want to do is use exploit Windows and I can do tab completion here to help me with the typing, ms08_067 and that's the only one so I'm going to use that one. Now what I want to do is I want to show options, I want to see first of all what I've got some control over, the variables that I've got some control over And I also want to see the things that I actually have to fill in, so it looks I can change the port setting if I wanted to, I could change the SMBPIPE and it looks like what I actually have to do is I need to set the rhost. So I'm going to set RHOST and that's the variable. I'm setting to 172.30.42.17 is the target because that's the system that we've found via Nessus was Vulnerable to this particular exploit. So now what I want to do is I want to run the exploit. I want to exploit the system. So we're running the exploit and We're trying to trigger the vulnerability. You can see it actually prints out everything it's doing as it goes along. And now we've actually got into the system. When I get to prompt it indicates that I'm actually on the system itself at this point So I'm communicating with the system. I'm trying to do a file list. And see whether we can actually get some data back. So here's all of the files on the target system. And it looks like this is probably the system 32 directory that we are in at this point. So I am on the target system now. As you can see. And now what we want to do is do a little bit of data gathering so we can see if we can find users for example or some other useful artifacts from the system. Maybe screenshots for example. Screenshots are really great so that you can demonstrate that you were actually on the system. So I'll show you some of the different types of data that we can gather coming up in the next video.

7.11 Post Exploitation Data Gathering

At this point we're actually in the target system. We've run an exploit. I am actually in the target system right now using the exploit. So, here's the file listing for the different files in the particular directory that we're in. And we can take a look at the directory. We're in Windows System 32. So now I want to see What other things that I can get. So the first thing I actually probably want to do is a hash dump. So these are all of the password hashes on this particular system. So now I could take these and I could run a Password cracker against them. So I could also run SYS info. And I can see the information about the system that I am working with, So now what else do I want to do at this point? Let's see if we can actually get a screen shot. So I should run screenshot here and now it should actually be in my downloads directory. So let me open up my file list and we'll see what the screenshot actually look like. So if I go to downloads here Open up the downloads and it's called ffYY. I'm going to open that with Image Viewer and see what we've got. I can actually see from the thumbnail that the screen saver is actually active at the moment. So this is what the screen looks like on that particular system right now. So I've got the screen saver. Now I've got a screenshot and of curse it would be more helpful if they desktop was actually there but what we got is the screen saver that's okay. Now what I can also do here is I could do a getsystem and I could tell you right now that I've actually got system level privileges. On this system just because of this particular exploit. But if I didn't have system level privileges or high level privileges I could actually use get system to elevate my privileges. So we can see get system. That worked. And now I've got the Highest level privileges that I can on this particular system. So I could take a look and see whether there's a webcam. Let's see if there's a webcam here. No webcam. We could do some recording from the Microphone. If there was a microphone, I could see the record mic. I could get a picture from the webcam, if there happened to be a webcam. I can do a dump of the keystroke buffers, so I could actually capture some keystrokes. In this case, nobody's sitting at this particular computer. It's a virtual machine that's sitting in my basement at the moment, actually, so Doing a capture of keystrokes isn't really going to give me much of anything but you can see, you could capture keystrokes if somebody were actually on the system, you could be capturing their keystrokes. So you can see there's a lot of information that you actually gather once you are in the system. So here's something else, I can actually take a look at The interface is on the system. So looks like I've got a bluetooth device. I've got an AMD PCNET. I've got Microsoft TCP Loopback interface. Of course it's my loopback address right there. So you can see we've got complete access to the system. Do anything we want. At this point, I could actually upload files if I wanted to So there's a lot of things I can do post exploitation. And coming up, I'll show you how to do things like pivoting and tunneling which will give you the ability to actually get to systems that may be behind this one.

7.12 Pivoting And Tunneling

I've got my Meterpreter shell open to the Windows XP system that's on my network. And now I want to show you how you can do things like being able to get access to some systems that may potentially be behind this system. So what I want to do first is show you that we could do netstat and see the Different ports that are open here. So we can see a lot of different ports are open here. So I can take a look at the routing table and I want to see wether there's any networks that are behind this particular system. Because if there were networks behind this particular system I could do something like pivoting. So what's pivoting? Well With pivoting I can actually set the host that I am connected to through the exploit as a gateway to get to networks that are behind it. In this case there are not any networks that are behind it so I'm actually going to. So I've run this utility called autoroute and I should point out that autoroute is actually Part of the professional version of Metasploit. And it's not something that you can get with the free one. So I've run autoroute and just got the help up. So I can say the subnet that I want to connect to and then the network mask. And Auto Root will actually go about setting up a route entry for me, so that I can get to the network that's behind that particular device that we've just exploited. And that gives me the ability To, then use the system that we've exploited as a pivot in order to get to systems that are behind it. So this is what we call pivoting. Where we're connecting to one host and then using that as an entry point of network to get to systems that are behind. So in this case, it don't actually have any networks behind it So I can't use it. But this is how you would use autoroute. And you would use it by setting subnet and you would get that based on running netstat. And you could get the subnet here as well as the netmask that was associated. And we could set autoroute In order to get to that particular system. So that's how you would do a pivot to get to additional systems. Now you could also do things like Setting up a tunnel so that you can connect to other systems behind it without actually setting up all of the route entries. So we could something like that as well. But that gives me the ability to get to internal networks, they're behind Specific systems that we may actually be able to exploit. And it may give us access to an internal network that wouldn't otherwise be accessed from the outside world.

7.13 Writing an MSF Plugin

I want to take a look at adding some different modules inside of Metasploit. So you can see here I'm actually inside of the Metasploit directory. I am on a Linux system. I'm in opt Metasploit apps pro MSF3 modules auxiliary scanner. And I'm actually in a subdirectory under there, called Discovery, and that's because I actually want to write a scanner that's going to go look for a particular service. So, let's take a look at what's in this directory Directory. Now I'm in Linux, but the same principles apply. Under Windows you would find where Metasploit was installed it would typically be in the root of the C drive into a directory there. And from there you could go find the modules directory and Find a particular module that you actually want to use as a starting point. So all you really have to do is take a look at what's there and see if there's something similar. There's no point in reinventing the wheel and these make pretty good templates to start out with so Let's say we wanted to use UDP sweep as the starting point. So that's going to do a lot of probing on UDP, and what I really want to do is do some playing around on the UDP servers that we had previously looked at in some other lessons or videos. So I could use any number of those as a starting point so that's actually what I did and I wrote one called bad UDP for my bad UDP server. So right here I've just got to the framework for a class and I am putting that under the auxiliary Set of modules inside Metasploit and I'm including the auxiliary scanner and the auxiliary report modules to use. I'm doing an initialize here, where I've given it a name and I've just called it Bad UDP scanner. I haven't actually given it any description. And then we can move forward here. And here's where we would register options. You remember under Metasploit we've actually got some options where we do show options and then we can set some things. If you've got specific options, in this case I'm setting a remote port option. So if you had a different remote port, you want to do set here you could set that. In this case, I'm using 9876. And now we re creating a socket. And that's a UDP socket. And we're using these as parameters to that. We're going to add the socket. And then We're actually just going to send that particular pack out. Now here I checked the response. And I make sure the response is something that I expect to get. And if I find it, then I'm going to report that I found the bad UDP service. So let's take a look at MSF console at this point. And I'm going to get that started up. You can see I'm adding some report notes here as well. I am setting the host to be the IP. And the protocol to be UDP. The service name is BAD UDP. I'm setting the port and then the type and the data. For the report node. And that goes into the Metasploit database, and will remain there until we actually delete it, or delete the host. So right here I've got MSF console up. And let's take a look at what we've got here. So I'm going to search for bad UDP. And I've got the scanner there. Now I can just use axillary scanner discovery bad uup. Now if id do the show options I'll see the remote port as one of the options. And of course remote hosts is always one of the options going to leave the port alone and set our hosts to be 172.30.42.0/24. Now all I have to do is run and it's going to scan through all of the hosts on my network and it's going to indicate to me when it is found A service that responds in the way that's been outlined here in this module that I've created. And again, as I said no point recreating the wheel there's plenty of modules that you can use as a starting point And you'll get the structure of how metusploit likes the module to look and how it want to be written. So you can do all of that from one of the existing ones in it and just make the alterations that you need to make. So in this case I took a pretty simple UDP module. And made a number of changes so that I am connecting to the right port. And I am actually sending the right message to the service, and then checking the response to see whether I get the correct response or not. So right here you can see we found the bad UDP service. On 172.30.42.55 which is actually the host that's actually running that UDP service. So we can see that the module actually worked and it worked as expected. So adding modules into metasploit is pretty easy if you know a little bit ruby and can find your way around metasploit And use maybe different modules for ideas on how the different features and functionality of Metasploit can be used inside of these ruby modules that you can write and add into Metasploit.

7.14 Writing Fuzzers

So we've written a plugin. And now I want to show you how you would go about writing something like a fuzzer. And a fuzzer is a way of actually looking for vulnerabilities in an application. And at this point we're actually going to be looking at Potential vulnerabilities in a web server. So you can see I'm in opt Metasploid apps ms3 module auxiliary. I am changing into the fuzzers directory. You can see It's broken out by protocols at this point. And again the same idea as when we were writing a scanner plugin I can just go into one of the directories here and Just see what we've got for things that we maybe able to use as a starting point. So here's a Here's a fuzzer here where we're sending long URI's. So I could use this as a starting point since what I want to do is write an HTTP fuzzer, and of course that's what I did. So let's take a look at This HTTP bogus.rb. And I actually used one of the other fuzzers as a starting point here. Again, it gives me the framework and the structure of the plug Again and I have given it a name because I really want to fuzz the verbal or the request and so we're going to sending bogus verbs or request to web servers. I've added some Options here and I'm going to do a request and here's where we actually do the request we do a socket put and here's the verb and the URI and then HTTP one dot one we're sending host The data store is where all of the options are. So here we're checking the data store and pulling out the option V host. And that's if we're using virtual hosts. And where we might want to do a host in the HTTP headers. So if there's a virtual host we need to send a host in the host field. So now we're going to send the data and we're going to get some responses back. Now here's where I actually do the fuzzing. And what I am doing is I'm just getting a bunch of random alpha numeric texts and now here's where I set the different parameters that I'm going to be using, here's where I get the fuzz string. And now I do the http_get with the verb or the request and the uri. And then we set a timeout there. So let's take a look at how this actually works in Metasploit. Now beyond that, I am doing a little bit of Exception handling. And again, if you're not familiar with exception handling, this is something that a lot of the scripts actually have because it helps determine whether there's been an error so you can take the framework or the structure of the exception handling from whatever module you're using as a starting point or as a Pointer two how you may actually write the particular metasploit module. And then you can make whatever alterations that you need to make. So we are in here now and actually want to just search for bogus and we've got http bogus so I'm going to use Auxiliary fuzzers, http, http bogus. Now the nice thing is all I had to do was create this file over here and automatically get added into Metasploit, Metasploit knows where it is. And I could search for it. And I'm going to use that now, show options and I'm going to set our HOST 172.30.42.55. And let me actually get into that one so we can actually see what's going on here. So I'm going to get into the Apache directory and I'm going to tail the log file, and that's going to be access.log. So now if I do run here, we should see a lot of requests hitting the server. And you can see that these are really bogus requests and the server is actually handling them just fine. And so the module execution is completed. We can see that all of the requests were handled. We can see what it looks like and we actually got a 500 level error. So, we did get an actual error from the server but it did not actually halt execution on the server so The server state, and tacked, and up, and running. But, that's actually how you would build a server using some of the Metasploit built in modules, and using the framework, and using the framework The framework you could execute the fuzzer and see whether you can actually knock over some services that may lead to potential exploits down the road.

7.15 Social Engineering Toolkit

One of the techniques that is really popular these days is doing what we call social engineering. Now social engineering was been around forever. And social engineering in some contexts is a physical activity. It's pretending to be someone you're not walking in the front door of a place and Pretending to be like somebody who's involve with network provider or with the telephone company or something like that. Or you could call somebody up and pretend to be with IT and help them reset their password, something along those lines, that's social engineering but Another thing that's really been popular in social engineering is this idea of phishing. So using things like rouge websites in order to acquire information from people or sending email out to people to get them to provided you some information. So there's a social engineering toolkit that's available. From trusted sec and this is actually pretty good at automating a lot of the techniques you might use in social engineering. So I've actually got the social engineering tool kit here and what I want to do Is just run it at this point. And we'll take a quick look at some of the things that you can do. So we've got some social engineering attacks. We've got fast track penetration testing, third-party modules, and it really interfaces with Metasploit. And uses some of the modules from Metasploit in order to do its work. So there's a lot of things that we can do with the social engineering tool kit, and it really automates a lot of the difficult tasks for you and takes care of A lot of the things that you want to do with social engineering. So we'll take a look at something like spear fishing coming up next.

7.16 Spear Phishing

We've got the social engineering toolkit at this point and I want to walk you through how you would do something like spear-phishing. Now spear-phishing is the same idea as phishing, it's just a really targeted approach. So rather than doing something like Doing a mass mailing to every email address you can find in hopes of getting something like a credit card information or Social Security number or something like that. What you're looking for with spearfishing is something very specific to a company that you're targeting or maybe even an individual that you're targeting. So that's what spearfishing is. And what we're going to do here is inside the Social Engineering Toolkit, I'm going to do a social engineering attack. And you can see it's very menu driven and pretty easy to get through. Now the first thing I'm going to do here is I'm going to select one now that we're in social engineering attacks. And go into spearfishing attack vectors. So now With spear phishing attack vectors, I can do things like perform a mass email attack or create a file format payload or create a social engineering template. I'm just going to do a very simple mass email attack. I'm going to use the tools that are built into the social engineering toolkit rather than creating my own at this point. So you can see I've got a lot of options for payloads. And this is where some understanding of your target can be helpful so you know what may actually work best here. So what I want to do is, I'm actually going to select the Microsoft Word RTF overflow. And that's from three years ago at this point. I'm going to make use of that and now this is kind of where we get into the metasploit aspects of it. So what you want to do Once they've opened up the attachment you're going to be sending. And I think I want to spawn a command shell one the victim and send back to attacker. So I'm going to get a reverse TCP shell. So once they open it up it's going to create a shell on their system and then send it back to me So I'm just going to select one here. And the IP address for the payload listener. It's obviously helpful if you have a system that's exposed to the internet either through a nat or directly connected. In this case I'm just playing around on my local network. And so, I'm going to set the IP address as the IP address of this particular system. It.s asking me the port to connect back on? We use something like 443, because that's often opened through firewalls. So, now it's generating the format, and I need to create the attachment So I'm going to do, I'm actually going to use a Word document here and it's going to create a new file for me and I could rename it if I wanted to I don't really care I'm just going to keep the file name, which appears to be Moo.PDF in this case. And now what do we want to do? Do we want to do a mass mailer? Or do we want to do a single email address? I'm going to do a single email address. And I'm going to do a predefined template. They've already got a bunch of templates. That have been created already so here are the ones, Have you seen this?, Status Report, Dan Brown's Angels & Demons, New Update, How long has it been?, Baby Pics, et cetera. So there's a lot of different choices for email templates. I'm actually going to go with WOAAAA!!!!!!!!!!! This is crazy... And who am I going to send the email to? Well, I'm going to send it to myself. In this case, just to have somebody to send it to. Use a Gmail account for your email attack or use your own server or open relay. So actually happen to have an SMTP server on my network and the from address is going to be And the from name doesn't much matter in this case. Username for the open relay is blank. And my server is 30.42.55. Port number for SMTP server is 25, that's pretty standard. Do I want to flag this message as high priority? No, I don't want to flag it is high priority. So we've delivered the emails at this point and I want to setup a listener which is going to actually listen for the reverse TCP connection. Now once you actually pick up the email Then open up the attachment then it should actually fire a reverse TCP connection back and in this case I've actually got some errors inside of Ruby that are causing problems with the listener. But I could also set up a listener using Netcat for example. So I could do that, as well. Now, at this point, the email has gone off. It's got the attachment in it. If the system is vulnerable to the exploit that's in the attachment, then it ought to fire back a shell back to me once I've set up a listener that's actually going to be able to handle it. So that's how you would do a Spear Phishing attack.


{{detail.h1_tag}}

{{detail.display_name}}
... ...

{{author.author_name}}

{{detail.full_name}}

Published on {{detail.created_at| date}} {{detail.duration}}

  • {{detail.date}}
  • Views {{detail.downloads}}
  • {{detail.time}} {{detail.time_zone_code}}

Registrants:{{detail.downloads}}

Downloaded:{{detail.downloads}}

About the On-Demand Webinar

About the Webinar

Hosted By

...

{{author.author_name}}

{{author.author_name}}

{{author.about_author}}

About the E-book

View On-Demand Webinar

Register Now!

First Name*
Last Name*
Email*
Company*
Phone Number*

View On-Demand Webinar

Register Now!

Webinar Expired

Download the Ebook

Email
{{ queryPhoneCode }}
Phone Number {{ detail.getCourseAgree?'*':'(optional)'}}

Show full article video

About the Author

{{detail.author_biography}}

About the Author

{{author.about_author}}