1. ~Metasploit ~�Lowering the Hacker Bar to a Five Year Old Matthew E. Luallen
m@sph3r3.com
2. www.sph3r3.com
3. www.sph3r3.com Review of Ethics Authorized Use Only <period>
I will not use any utilities discussed in this session in an unauthorized or illegal manner <period>
Be good people <exclamation point>
4. www.sph3r3.com Literally a five year old soon. So easy a caveman can do it.
So easy a caveboy can do it.
So easy a cavegirl can do it.
So easy my daughter turns 3 next week.
? Yikes!
5. www.sph3r3.com Information Asset Protection� Protecting Intellectual Property Does this look like a common product selection chart
A science just like accounting, finance, mfg
A very similar process
Cost benefit resources timing
Does this look like a common product selection chart
A science just like accounting, finance, mfg
A very similar process
Cost benefit resources timing
6. www.sph3r3.com The Metasploit Project http://www.metasploit.com.org
Windows, Unix / Linux
Even ported to an IPOD
http://www.eweek.com/article2/0,1895,1910371,00.asp
7. www.sph3r3.com
8. www.sph3r3.com Quick Metasploit Overview
9. www.sph3r3.com Start the web engine
10. www.sph3r3.com Allow the perl handler Not necessary for MSF 3.0
11. www.sph3r3.com Identify Exploit
12. www.sph3r3.com Select Target
13. www.sph3r3.com Select Payload to Execute
14. www.sph3r3.com Complete Target Identification and Setting Options
15. www.sph3r3.com ~ owned ~ OR ~ broken ~
16. www.sph3r3.com MSF 3.0 Auxiliary Modules
17. www.sph3r3.com Payload Options adduser
bind
bind_dllinject
bind_meterpreter
bind_stg
bind_stg_upexec
exec
passivex
passivex_meterpreter
passivex_stg
passivex_vncinject
reverse
reverse_dllinject
reverse_meterpreter
reverse_ord
reverse_ord_vncinject
reverse_stg
reverse_stg_upexec
reverse_vncinject
18. www.sph3r3.com Payloads Continued Bind versus Reverse
Bind : Metasploit makes both inbound connections
Reverse : Metasploit makes forward connection; Victim makes reverse connection Popular
AddUser
Execute
VNC
DLL Injection (Attack Cloaking
PassiveX (http tunnel)
Advanced
Meterpreter (Encrypted / Pluggable)
19. www.sph3r3.com Penetration Testing Scenarios Adding rogue user accounts
Modifying desktops
Redirecting dns connections
Remote desktop control
Information reconnaissance
Execution of nearly anything you want (based upon other defense in depth protective controls)
20. www.sph3r3.com Metasploit in Action Live Demonstration (Closed Network Authorized)
I authorize myself to hurt myself (even this can be unauthorized)
As owner of my system and of all logical constructs
And in sound mind and body
21. www.sph3r3.com In Session Example XTerm
su postgres
cd
/usr/local/pgsql/bin/initdb metasploit3 U root
/usr/local/pgsql/bin/pg_ctl D metasploit3 start In MSFConsole
cd /pentest/exploits/framework3�svn update (because there's new code being added daily)�
msfconsole
load db_postgres�db_connect�db_nmap 192.0.3.1�db_services
db_autopwn p t -e
22. www.sph3r3.com Further Your Metasploit Knowledge Additional Material
www.metasploit.com
http://metasploit.blogspot.com/
http://www.absoluteinsight.net/1176
http://metasploit.com/bh/defcon.pdf
http://cansecwest.com/core05/core05_metasploit.pdf
http://blog.metasploit.com/2006/09/metasploit-30-automated-exploitation.html
Metasploit Exploit Code
www.exploitwatch.org
23. www.sph3r3.com Alternative Options Commercial
Core Security Technology Impact
http://www1.corest.com/
Immunity CANVAS
http://www.immunitysec.com/
Open Source
SecurityForest Exploitation Framework
http://www.securityforest.com/wiki/index.php/Exploitation_Framework
Leverages the Exploit Tree
24. www.sph3r3.com Security Assumptions to Live By Your conversations will be eavesdropped upon
Physical assets (potentially containing logical information) will be lost or stolen
Your challenge: Build security controls based upon these two assumptions
25. www.sph3r3.com Summary, Q/A & Contact Information My time is your time open discussion
