Metasploit Lowering the Hacker Bar to a Five Year Old

1
Metasploit Lowering the Hacker Bar to a Five
Year Old

• Matthew E. Luallen
• m_at_sph3r3.com

2
Agenda

• Review of Ethics
• Quick Metasploit Overview
• Payload Options
• Penetration Testing Scenarios
• Metasploit in Action

Protective measures must be integrated into
business operations. Penetration testing
reality check
3
Review of Ethics

• Authorized Use Only ltperiodgt
• I will not use any utilities discussed in this
  session in an unauthorized or illegal manner
  ltperiodgt
• Be good people ltexclamation pointgt

4
Literally a five year old soon.

• So easy a caveman can do it.
• So easy a caveboy can do it.
• So easy a cavegirl can do it.
• So easy my daughter turns 3 next week.
• ? Yikes!

5
Information Asset Protection Protecting
Intellectual Property
Vulnerability Validation Utility (Penetration
Testing)
Based upon IEEE Standard 15408 (Common Criteria)
6
The Metasploit Project
?

• http//www.metasploit.com.org
• Windows, Unix / Linux
• Even ported to an IPOD
• http//www.eweek.com/article2/0,1895,1910371,00.as
  p

7
(No Transcript)
8
Quick Metasploit Overview
9
Start the web engine
10
Allow the perl handler

• Not necessary for MSF 3.0

11
Identify Exploit
12
Select Target
Click here.
13
Select Payload to Execute
14
Complete Target Identification and Setting Options
15
owned OR broken
Major VendorMajor O/S Title
16
MSF 3.0 Auxiliary Modules
17
Payload Options

• adduser
• bind
• bind_dllinject
• bind_meterpreter
• bind_stg
• bind_stg_upexec
• exec
• passivex
• passivex_meterpreter
• passivex_stg
• passivex_vncinject

• reverse
• reverse_dllinject
• reverse_meterpreter
• reverse_ord
• reverse_ord_vncinject
• reverse_stg
• reverse_stg_upexec
• reverse_vncinject

18
Payloads Continued

• Bind versus Reverse
• Bind Metasploit makes both inbound connections
• Reverse Metasploit makes forward connection
  Victim makes reverse connection

• Popular
• AddUser
• Execute
• VNC
• DLL Injection (Attack Cloaking
• PassiveX (http tunnel)
• Advanced
• Meterpreter (Encrypted / Pluggable)

19
Penetration Testing Scenarios

• Adding rogue user accounts
• Modifying desktops
• Redirecting dns connections
• Remote desktop control
• Information reconnaissance
• Execution of nearly anything you want (based upon
  other defense in depth protective controls)

20
Metasploit in Action

• Live Demonstration (Closed Network Authorized)
• I authorize myself to hurt myself (even this can
  be unauthorized)
• As owner of my system and of all logical
  constructs
• And in sound mind and body

21
In Session Example

• XTerm
• su postgres
• cd
• /usr/local/pgsql/bin/initdb metasploit3 U root
• /usr/local/pgsql/bin/pg_ctl D metasploit3 start

• In MSFConsole
• cd /pentest/exploits/framework3svn update
  (because there's new code being added daily)
• msfconsole
• load db_postgresdb_connectdb_nmap
  192.0.3.1db_services
• db_autopwn p t -e

22
Further Your Metasploit Knowledge

• Additional Material
• www.metasploit.com
• http//metasploit.blogspot.com/
• http//www.absoluteinsight.net/1176
• http//metasploit.com/bh/defcon.pdf
• http//cansecwest.com/core05/core05_metasploit.pdf
  
• http//blog.metasploit.com/2006/09/metasploit-30-a
  utomated-exploitation.html

• Metasploit Exploit Code
• www.exploitwatch.org

I know these links are not fun. Just search
within google for small clips of the url.
23
Alternative Options

• Commercial
• Core Security Technology Impact
• http//www1.corest.com/
• Immunity CANVAS
• http//www.immunitysec.com/

• Open Source
• SecurityForest Exploitation Framework
• http//www.securityforest.com/wiki/index.php/Explo
  itation_Framework
• Leverages the Exploit Tree

24
Security Assumptions to Live By

• Your conversations will be eavesdropped upon
• Physical assets (potentially containing logical
  information) will be lost or stolen
• Your challenge Build security controls based
  upon these two assumptions

25
Summary, Q/A Contact Information

• My time is your time open discussion

?