3. About Me
• Now Work Busy Man….
• Unemployed….
• Interest…. /dev/random….
• Co-founder of null…. :-D
• X-IBMer’s …..
• Dal, Roti ka jugad, Security Consulting/Training
19. Filesystem And Libraries
• lib: the 'meat' of the framework code base
• data: editable files used by Metasploit
• tools: various useful command-line utilities
• modules: the actual MSF modules
• plugins: plugins that can be loaded at run-time
• scripts: Meterpreter and other scripts
• external: source code and third-party libraries
Courtesy http://www.offensive-security.com/metasploit-unleashed
21. msfconsole
• It is the only supported way to access most of the
features within Metasploit.
• Provides a console-based interface to the
framework
• Contains the most features and is the most stable
MSF interface
• Full readline support, tabbing, and command
completion
• Execution of external commands in msfconsole is
possible:
Courtesy http://www.offensive-security.com/metasploit-unleashed
34. Supported Database
• Mysql - BackTrack 4 r2, MYSQL and Metasploit work
together "out of the box“
• Postgres
• Sqlite3 – file based database, might be pull-off in future
35.
36. Nmap
• db_nmap command to scan host/network
• Result will be stored in database
• Can view the result using db_hosts and
db_services command
42. In a Finger tip
• db_autopwn
– Automate exploitation process
– Take target /service/vulnerability info from
database
– Spawns a meterpeter shell on success
– Noisy
50. Exploiting PDF
• Most exploited software since last 2 years
• Universally used software for document
format
• Favorite carrier for commercial malware
toolkit
51. What all PDF do?
• JavaScript runs under the context of App
Object Model
• File Attachment
• XML, SOAP capabilities
• Forms
• Web Services
• Database connections(ADBC)
52. What’s cracking up?
• Vulnerable APIs
– util.printf() (CVE-2008-2992)
– getIcons() (CVE-2009-0927)
– getAnnots() (CVE-20091492)
– customDictionaryOpen() (CVE-2009-1493)
– Doc.media.newPlayer (CVE-2009-4324)
• File parsing vulnerabilities
– JBIG2( Over a dozen CVE)
– libTiff (CVE-2010-0188)
• Social engineered arbit. command execution
– PDF escape by Didier Stevens
– Not a bug (feature)
– Exploitation in the wild
• Embedded Files
– libTiff (CVE-2010-0188)
54. Payload Generation and Backdooring
EXE
• Payload can be converted to various file
format i.e. exe, dll, javascript etc.
• Encode payload to evade antivirus
• Can be embed with third party
software/utility
62. SET(Social Engineering Toolkit)
• Weakest link in the information security chain
is the natural human willingness to accept
someone at their word.
• SET focuses on attacking the human element
• Develop in python
• Very easy to use
• Utilize Metaspolit Framework on Backend
67. What next after getting a Shell?
• One can run the command supported by
command prompt/shell.
• So what extra bit control needed to en-cash
the opportunity?
68. Meterpreter
• Meta Interpreter
• Post exploitation payload(tool)
• Uses in-memory DLL injection stagers
• Can be extended over the run time
• Encrypted communication
69. What can be done?
• Command execution
• File Upload/Download
• Process migration
• Log Deletion
• Privilege escalation
• Registry modification
• Deleting logs and killing antivirus
• Backdoors and Rootkits
• Pivoting
• …..etc.
71. Channels
• Communication using TLV (Type-Length-Value)
• Tagging of data with channel number
• Multiple program can be run at victim
machine using different channel
72. Pivoting
2 1
LAN INTERNET
Local Lan
Firewall/IPS
4
3
Web Database
Server DMZ Server