Title: Metasploit Lowering the Hacker Bar to a Five Year Old
1 Metasploit Lowering the Hacker Bar to a Five
Year Old
- Matthew E. Luallen
- m_at_sph3r3.com
2Agenda
- Review of Ethics
- Quick Metasploit Overview
- Payload Options
- Penetration Testing Scenarios
- Metasploit in Action
Protective measures must be integrated into
business operations. Penetration testing
reality check
3Review of Ethics
- Authorized Use Only ltperiodgt
- I will not use any utilities discussed in this
session in an unauthorized or illegal manner
ltperiodgt - Be good people ltexclamation pointgt
4Literally a five year old soon.
- So easy a caveman can do it.
- So easy a caveboy can do it.
- So easy a cavegirl can do it.
- So easy my daughter turns 3 next week.
- ? Yikes!
5Information Asset Protection Protecting
Intellectual Property
Vulnerability Validation Utility (Penetration
Testing)
Based upon IEEE Standard 15408 (Common Criteria)
6The Metasploit Project
?
- http//www.metasploit.com.org
- Windows, Unix / Linux
- Even ported to an IPOD
- http//www.eweek.com/article2/0,1895,1910371,00.as
p
7(No Transcript)
8Quick Metasploit Overview
9Start the web engine
10Allow the perl handler
- Not necessary for MSF 3.0
11Identify Exploit
12Select Target
Click here.
13Select Payload to Execute
14Complete Target Identification and Setting Options
15 owned OR broken
Major VendorMajor O/S Title
16MSF 3.0 Auxiliary Modules
17Payload Options
- adduser
- bind
- bind_dllinject
- bind_meterpreter
- bind_stg
- bind_stg_upexec
- exec
- passivex
- passivex_meterpreter
- passivex_stg
- passivex_vncinject
- reverse
- reverse_dllinject
- reverse_meterpreter
- reverse_ord
- reverse_ord_vncinject
- reverse_stg
- reverse_stg_upexec
- reverse_vncinject
18Payloads Continued
- Bind versus Reverse
- Bind Metasploit makes both inbound connections
- Reverse Metasploit makes forward connection
Victim makes reverse connection
- Popular
- AddUser
- Execute
- VNC
- DLL Injection (Attack Cloaking
- PassiveX (http tunnel)
- Advanced
- Meterpreter (Encrypted / Pluggable)
19Penetration Testing Scenarios
- Adding rogue user accounts
- Modifying desktops
- Redirecting dns connections
- Remote desktop control
- Information reconnaissance
- Execution of nearly anything you want (based upon
other defense in depth protective controls)
20Metasploit in Action
- Live Demonstration (Closed Network Authorized)
- I authorize myself to hurt myself (even this can
be unauthorized) - As owner of my system and of all logical
constructs - And in sound mind and body
21In Session Example
- XTerm
- su postgres
- cd
- /usr/local/pgsql/bin/initdb metasploit3 U root
- /usr/local/pgsql/bin/pg_ctl D metasploit3 start
- In MSFConsole
- cd /pentest/exploits/framework3svn update
(because there's new code being added daily) - msfconsole
- load db_postgresdb_connectdb_nmap
192.0.3.1db_services - db_autopwn p t -e
22Further Your Metasploit Knowledge
- Additional Material
- www.metasploit.com
- http//metasploit.blogspot.com/
- http//www.absoluteinsight.net/1176
- http//metasploit.com/bh/defcon.pdf
- http//cansecwest.com/core05/core05_metasploit.pdf
- http//blog.metasploit.com/2006/09/metasploit-30-a
utomated-exploitation.html
- Metasploit Exploit Code
- www.exploitwatch.org
I know these links are not fun. Just search
within google for small clips of the url.
23Alternative Options
- Commercial
- Core Security Technology Impact
- http//www1.corest.com/
- Immunity CANVAS
- http//www.immunitysec.com/
- Open Source
- SecurityForest Exploitation Framework
- http//www.securityforest.com/wiki/index.php/Explo
itation_Framework - Leverages the Exploit Tree
24Security Assumptions to Live By
- Your conversations will be eavesdropped upon
- Physical assets (potentially containing logical
information) will be lost or stolen - Your challenge Build security controls based
upon these two assumptions
25Summary, Q/A Contact Information
- My time is your time open discussion
?