SlideShare une entreprise Scribd logo

Exploits Attack on Windows Vulnerabilities

Amit Kumbhar
Amit Kumbhar
1  sur  44
Télécharger pour lire hors ligne
1 | P a g e A Project Report On “ Exploiting Vulnerabilities Of Operating System Using Metasploits” Submitted By Mr.Amit Vikas Kumbhar To Mr.Sandeep Kumar Appin Technology Lab Jayanagar, Banglore IT Security and Ethical Hacking
2 | P a g e  Introduction.  Exploits.  Classification  Metasploit.  Histry of Metasploit  Use Of Metasploit  Metasploit Framework  Exploit.  Definition  Types Of Exploits  Payload.  Definition  Types Of Payload  Functions Of Payload  Graphical Overview of Metasploit  Steps for exploiting Vulnerabilities  Pre–Exploting Phase  Lab setup  Example 1)  Exploit :  Payload :  Example 2)  Exploit :  Payload : Contents Classification. Histry of Metasploit. Use Of Metasploit. Metasploit Framework. Definition. Types Of Exploits. Definition. Types Of Payload. Functions Of Payload. Graphical Overview of Metasploit. Steps for exploiting Vulnerabilities Exploting Phase. Exploit :- windows/dcerpc/ms03_026_dcom Payload :- windows/add_user Exploit :- windows/dcerpc/ms03_026_dcom Payload :- windows/generic_shell_bind_tcp windows/dcerpc/ms03_026_dcom windows/dcerpc/ms03_026_dcom windows/generic_shell_bind_tcp
3 | P a g e  Example 3)  Exploit :- windows/dcerpc/ms03_026_dcom  Payload :- windows/meterpreter/bind_tcp
4 | P a g e Introduction :- How tough is it to really compromise a system? Most security professionals are aware attacking and penetrating network devices is getting easier and attack sophistication is getting more complex. In large part this phenomenon is due to the old adage of "standing on the shoulders of giants." Many system researchers have uncovered the security weakness is common system design years ago, and as security professionals they shared the information. This allows someone with little understanding of system architecture to be able to perform more complex attacks than ever though possible. For a security professional it is possible to compromise a system without spending months learning a programming language and years learning system architecture. We can actually use technology to assist in performing penetration system penetration. Products like Core Security's Core Impact and Immunity's Canvas products have been providing this type of functionality for a few years now. These manufacturers do not just provide the technology, but they also provide training and support of their products to allow a qualified professional to perform a more methodological penetration test. It makes the task of compromising a system easier for a security administrator. The previously mentioned utilities are both fee based products, but more recently an open source product has become a common sight in penetration testing kits. This utility is called Metasploit™. Both Windows and Linux users can take advantage of the Metasploit™ product to perform a penetration test or system compromise. The utility itself is written in many programming languages including perl, C, and assembler. This environment provides many ready to use exploits and also allows for the security tester to customize them or to create their own exploit. The basic process for using the Metasploit™ console is not the most intuitive, but I think this was done to discourage the least skilled script kiddies from attempting to penetrate the system using this specific utility.
5 | P a g e Exploit s: An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. Vulnerability :- Vulnerability is a weakness which allows attacker to break into or compremise system security. Classification :- There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A 'remote exploit' works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A 'local exploit' requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits against client application lso exist, usually consisting of modified servers that send an exploit if accessed with client application. Exploits against client applications may also require some interaction with the user and thus may be used in combination with social engineering method. This is the hacker way of getting into computers and websites for stealing data. Another classification is by the action against vulnerable system: unauthorised data access,arbitrary code execution ,denial of service. Many exploits are designed to provide superuser -level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root. Normally a single exploit can only take advantage of a specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the
6 | P a g e software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other crackers. Such exploits are referred to as zero day exploits' and to obtain access to such exploits is the primary desire of unskilled attackers, often nicknamed script kiddies. Types :- Exploits are commonly categorized and named by these criteria:  The type of vulnerability they exploit (See the article on vulnerabilities for a list)  Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote).  The result of running the exploit (Eop, Dos, Spoofing, etc...) Pivoting :- Pivoting refers to method used by Penetration Testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping. Pivoting can further be distinguished into proxy pivoting and VPN pivoting: Proxy pivoting generally describes the practice channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from this computer. This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy.  VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic through that target machine, for example to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if she were behind the firewall. Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the Payload (software) of an exploit.
7 | P a g e “The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing,and security researchers world-wide.” History of Metasploit :- The Metasploit project was originally started as a network security game by four core developers. It then developed gradually to a Perl-based framework for running, configuring, and developing exploits for well-known vulnerabilities.The 2.1 stable version of the product was released in June 2004. Since then, the development of the product and the addition of new exploits and payloads have rapidly increased. The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research. The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit was created by HD Moore in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third-party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
8 | P a g e Like comparable commercial products such as Immunity's Canvas or Core Security Technologies'Core Impact, Metasploit can be used to test the vulnerability of computer systems in order to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added an commercial edition called Metasploit Express, while keeping the Metasploit Framework updated and free. Metasploit's emerging position as the de facto vulnerability development framework has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug. Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to discover software vulnerabilities in the first instance, rather than merely writing exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November, 2006. Metasploit use :- Metasploit came about primarily to provide a framework for penetration testers to develop exploits.The typical life cycle of a vulnerability and its exploitation is as follows: 1. Discovery :- A security researcher or the vendor discovers a critical security vulnerability in the software. 2. Disclosure :-The security researcher either adheres to a responsible disclosure policy and informs the vendor, or discloses it on a public mailing list. Either way, the vendor needs to come up with a patch for the vulnerability. 3. Analysis :-The researcher or others across the world begin analyzing the vulnerability to determine its exploitability. Can it be exploited? Remotely? Would the exploitation result in remote code execution, or would it simply crash the remote service? What is the length of the exploit code that can be injected? This phase also involves debugging the vulnerable application as malicious input is injected to the vulnerable piece of code.
9 | P a g e 4. Exploit Development :- Once the answers to the key questions are determined, the process of developing the exploit begins.This has usually been considered a bit of a black art, requiring an in-depth understanding of the processor’s registers, assembly code, offsets, and payloads. www.syngress.com 5. Testing :- This is the phase where the coder now checks the exploit code against various platforms, service pack, or patches, and possibly even for different processors (e.g., Intel, Sparc, and so on). 6. Release:- Once the exploit is tested, and the specific parameters required for its successful execution have been determined, the coder releases the exploit, either privately or on a public forum. Often, the exploit is tweaked so that it does not work right out of the box.This is usually done to dissuade script kiddies from simply downloading the exploit and running it against a vulnerable system.
10 | P a g e Metasploit Framework This modularity of allowing to combine any exploit with any advantage of the Framework: it facilitates the tasks of attackers, exploit writers, and payload writers. Versions of the Metasploit Framework since v3.0 are written in the Programming Language. The previous version 2.7, was implem runs on all versions of Unix (including Linux and Mac OS X), and also on Windows. It includes two command line interfaces native GUI. The web interface is intended to be run from the attacker's computer. The Metasploit Framework can be extended to use external add languages. To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with as nmap. Nessus can, in addition, detect the target system's Metasploit Framework : This modularity of allowing to combine any exploit with any payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, Versions of the Metasploit Framework since v3.0 are written in the Ruby . The previous version 2.7, was implemented in runs on all versions of Unix (including Linux and Mac OS X), and also on command line interfaces , a web-based interface and a native GUI. The web interface is intended to be run from the attacker's computer. Metasploit Framework can be extended to use external add-ons in multiple To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with Port scanning and OS fingerprinting in addition, detect the target system's vulnerabilities payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, Ruby ented in Perl. It runs on all versions of Unix (including Linux and Mac OS X), and also on based interface and a native GUI. The web interface is intended to be run from the attacker's computer. ons in multiple To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This OS fingerprinting tools such vulnerabilities.
11 | P a g e In April 2010, Rapid7 released Metaploit Express, which is a commercial version of Metasploit. Based on the Metasploit Framework, it offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection. Rapid7 has a full-featured 7-day trial for Metasploit Express. Exploits :- It is a code which allows an attacker to take advantage of vulnerable System. Exploit Types :-  Pretty much any protocol UDP, TCP, SMB, HTTP, FTP, SMTP, TFTP, SSH, etc  Active, Passive, Brute-Force  Remote, Local, User-Interaction (technically remote category)  Remote: windows/dcerpc/ms03_026_dcom  Local: no real local examples, but doable  User-Interaction--All your browser, “have to click on something,” type exploits  windows/browser/ms06_013_createtextrange Payloads :- Payload is Arbitrary code that is to be executed upon successful exploitation.It is a acutal code which run on the system after exploitation. Types Of Payloads :- 1) Single [shell_reverse_tcp = inline (single)] :-  A self-contained payload that performs a specific task  Size varies depending on the task  Example: Reverse or bind command shell
12 | P a g e 2) Stager [shell/reverse_tcp = stager] :-  A stub payload that loads / bootstraps a stage  Size generally much smaller than single payloads  Passes connection information onto the stage 3) Stage :-  Similar to a single payload, but takes advantage of staging.  Uses connection passed from the stager.  Not subject to size limitations of individual vulnerabilities  A stager can also be a stage Functions of Payloads :- Bind Shell: setup a socket, bind it to a specific port and listen for connection. Upon accepting a connection spawn a shell. Victim has to allow incoming connections on selected port. Reverse Shell: instead of binding to a port waiting for connection, the shellcode simply connect to a predefined IP and port number and spawn a shell. Find Tag: find socket style payloads that search for a socket based on the presence of a tag on the wire. Find_Port: payloads that search for a socket by comparing peer port names relative to the target machine. Ordinal Payloads: Uses static ordinals in WS2_32.DLL to locate symbol addresses. Leads to very tiny win32 stagers (92 byte reverse, 93 byte findsock) Reverse Http: called PassiveX payloads in 2.x. Tunnel communication over HTTP using IE 6. Payload modifies registry and launches IE, IE loads custom ActiveX control to stage the payload, Uses standard IE proxy and authorization settings, Can be used to inject VNC, Meterpreter, custom dlls. Adduser: Executes the net user x x /add & net localgroup administrators x /add Downloadexec: Download a .exe from a URL and execute it
13 | P a g e Uploadexec: uploads a .exe from local computer and executes Exec: execute a command of your choice Dllinject: injects a custom dll (you'll have to supply the dll) VNCinject: injects a custom VNC server dll into memory Meterpreter: the super payload, custom dll injected into memory (more on Day2); tons of postexploitation tools Opcode Database The Opcode Database is an important resource for writers of new exploits. Buffer overflow exploits on Windows often require precise knowledge of the position of certain machine language opcodes in the attacked program or included DLLs. These positions differ in the various versions and patch-levels of a given operating system, and they are all documented and conveniently searchable in the Opcode Database. This allows one to write buffer overflow exploits which work across different versions of the target operating system. Shellcode Database The Shellcode database contains the payloads (also known as shellcode) used by the Metasploit Framework. These are written in assembly language and full source code is available.
14 | P a g e Graphical Overview of Metasploit :- Steps for exploiting Vulnerabilities :- 1. Choosing and configuring an exploit(code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for windows, Unix/Linux and Mac OS systems are included); 2. Checking whether the intended target system is susceptible to the chosen exploit (optional); 3. Choosing and configuring a Payload (code that will be executed on the target system upon successful entry, for instance a remote shell or aVNC Server); 4. Choosing the encoding technique to encode the payload so that the Intrusion Prevention System (IPS) will not catch the encoded payload; 5. Executing the exploit.
15 | P a g e  Pre–Exploiting Phase :- Using exploit for penetration testing is legal, hence if you want to penetratate your own system environment will not be illegal. But as I don’t have the real time environment I have created it using some third party softwares and operating systems as given below. 1) Install Vmware/Virtual PC which allows you to install various operating systems to use it at the same time.These softwares also creates a virtual network between the host operating systems and the own operating system.so the beginners can do the real practices or penetration on his own. 2) Install Metasploit Framework on the attackers system and start penetrating systems on the host operating systems installed in vmware.  Lab Setup  Own operating system – Windows XP professional Service pack 3 IP Address – 192.168.23.1  Host operating system 1 – Windows XP professional 2002 Services pack 1 IP Address – 192.168.23.131  Host operating system 2 – Windows XP professional Services pack 2 IP Address – 192.168.23.133
16 | P a g e  Exploiting Vulnerability :- 1) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- Windows/adduser Rort :- 135 Rhost :- 192.168.23.131 Steps - Click on msfconsole on program list on start buttons.it show the below,
17 | P a g e Steps – use any exploit from list of exploits using keyword “use” following with exploit name.
18 | P a g e Steps – watch exploits options “show options” to fill with appropriate values with “set ” keyword.
19 | P a g e Steps – This is the target host operating system on vmware on whos IP address is 192.168.23.131
20 | P a g e Steps – set the value of RHOST with target IP address. set other default values if you want to change.
21 | P a g e Steps - To see the list of PAYLOADS use command “Show payloads” and select the PAYLOAD you want to set with keyword following with PAYLOAD name.
22 | P a g e Steps - Type “show option ” again to set values of PAYLOADS and set it appropriately. set TARGET the same as the target operating system if there are multiple targets shown in options .
23 | P a g e Steps - To exploit the vulnerability type the keyword “exploit” it will start attacking on the given target system.
24 | P a g e Steps – Target system after exploiting the vulnerability it created a new user account “Metasploit ” with password “metasploit” with administrator privileges.
25 | P a g e 2) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- generic/shell_bind_tcp Rort :- 135 Rhost :- 192.168.23.131 Steps – select any exploit.
26 | P a g e  The Target systems IP address.
27 | P a g e  Step - set IP address of target system as “set HOST ” following with ip.
28 | P a g e  Step – set PAYLOAD generic/shell_bind_tcp
29 | P a g e  Step :- use exploits to execute attack on the Target system
30 | P a g e  Step :- Browsing the target system. Created a Folder named “system Hacked” on the Desktop.
31 | P a g e Screen shot :- These is the screen shot of the target system after attack where you can see the folder named “Hacked system” which is remotely created by the attacker which identifies the system is vulnerable. Remotely created folder on target system
32 | P a g e 3) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- Windows/meterpreter/bind_tcp Rort :- 135 Rhost :- 192.168.23.133  Windows/dcerpc/ms-3_026_dcom exploit is selected to exploit the target system vulnerabilities.
33 | P a g e  Here the options are checked using the command show options
34 | P a g e  In this step the PAYLOAD windows/meterpreter/bind_tcp is set to attack on the target system.
35 | P a g e  This step starts exploiting the target system.
36 | P a g e  Here Using “ipconfig ” command the IP address and other useful information is carried out.
37 | P a g e  Using metasploit core commands we can read,write or delete the data on the target sytem as show below.
38 | P a g e  Here as per the file extension type or file name type we can search any file on any directory as show below I typed “search –d c: -f * .txt” to search all text files which shows following result.
39 | P a g e  As per search I found some file named “Confidential.txt” on the desktop of user “meet” so I went on the path where the file exsist and Downloaded with the command “Download confidential.txt”
40 | P a g e  Previously downloaded file is copided in the local attackers system in the folder of the “Metasploit” in Program Files as show below, Downloaded confidential file from Target system remotely
41 | P a g e  Here is the file we downloaded from the attackers system as we can see it resides on the desktop.
42 | P a g e  Here we deleted that file from the storage device of the target system.
43 | P a g e  Now you can see that the file we deleted is not visible on the desktop as we know it is deleted.
44 | P a g e Bibilography  www.exploits.com  www.google.com  www.wikipedia.com 

Recommandé

IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Lubov Putsko
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Defending The Castle Rwsp
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwspjmoquendo
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 

Recommandé

IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Lubov Putsko
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Defending The Castle Rwsp
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwspjmoquendo
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?TI Safe
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systemsCity Unrulyversity
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusionKishor Datta Gupta
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityijcsa
 
Nm feb 19, 1951
Nm feb 19, 1951Nm feb 19, 1951
Nm feb 19, 1951Clifford Stone
 
Organisation chart fr
Organisation chart frOrganisation chart fr
Organisation chart frWema Rumbaka
 

Contenu connexe

Tendances

A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingYogeshIJTSRD
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?TI Safe
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindImperva
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Futureamiable_indian
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysisAsif Anik
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemCSCJournals
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityijcsa
 

Tendances (20)

A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?White Paper - Are antivirus solutions enough to protect industrial plants?
White Paper - Are antivirus solutions enough to protect industrial plants?
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationApplication of Attack Graphs in Intrusion Detection Systems: An Implementation
Application of Attack Graphs in Intrusion Detection Systems: An Implementation
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systems
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusion
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
A Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert SystemA Security Analysis Framework Powered by an Expert System
A Security Analysis Framework Powered by an Expert System
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application security
 

En vedette

Organisation chart fr
Organisation chart frOrganisation chart fr
Organisation chart frWema Rumbaka
 
Actividades colectivas 14.15
Actividades colectivas 14.15 Actividades colectivas 14.15
Actividades colectivas 14.15bujalance25
 
Akordeon metodu e ftal bugra dodur
Akordeon metodu e ftal bugra dodurAkordeon metodu e ftal bugra dodur
Akordeon metodu e ftal bugra dodurEftalDodur Soundturk
 
Festa de la primavera 2013
Festa de la primavera 2013Festa de la primavera 2013
Festa de la primavera 2013picarols
 

En vedette (20)

Nm feb 19, 1951
Nm feb 19, 1951Nm feb 19, 1951
Nm feb 19, 1951
 
Organisation chart fr
Organisation chart frOrganisation chart fr
Organisation chart fr
 
Efruzhu anti̇cancer drug hu north cyprus 15
Efruzhu anti̇cancer drug hu north cyprus 15Efruzhu anti̇cancer drug hu north cyprus 15
Efruzhu anti̇cancer drug hu north cyprus 15
 
Horario de clases
Horario de clasesHorario de clases
Horario de clases
 
Mgst apresentação 1
Mgst apresentação 1Mgst apresentação 1
Mgst apresentação 1
 
003
003003
003
 
Actividades colectivas 14.15
Actividades colectivas 14.15 Actividades colectivas 14.15
Actividades colectivas 14.15
 
Biblioteca
BibliotecaBiblioteca
Biblioteca
 
Akordeon metodu e ftal bugra dodur
Akordeon metodu e ftal bugra dodurAkordeon metodu e ftal bugra dodur
Akordeon metodu e ftal bugra dodur
 
Actividades
ActividadesActividades
Actividades
 
123258-протоколы
123258-протоколы123258-протоколы
123258-протоколы
 
1
11
1
 
Evaluación+ley+de+ohm
Evaluación+ley+de+ohmEvaluación+ley+de+ohm
Evaluación+ley+de+ohm
 
Away in a manger dtsch
Away in a manger dtschAway in a manger dtsch
Away in a manger dtsch
 
Caricatura pantera rosa coerel draw x5
Caricatura pantera rosa coerel draw x5Caricatura pantera rosa coerel draw x5
Caricatura pantera rosa coerel draw x5
 
Mapa demanda
Mapa demandaMapa demanda
Mapa demanda
 
Festa de la primavera 2013
Festa de la primavera 2013Festa de la primavera 2013
Festa de la primavera 2013
 
Presentation1
Presentation1Presentation1
Presentation1
 
Santa Rosa de Lima
Santa Rosa de LimaSanta Rosa de Lima
Santa Rosa de Lima
 
C.s 1
C.s 1C.s 1
C.s 1
 

Similaire à Exploits Attack on Windows Vulnerabilities

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Meta sploit (cyber security)
Meta sploit (cyber security) Meta sploit (cyber security)
Meta sploit (cyber security) Rajal Patel
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Laura Arrigo
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 

Similaire à Exploits Attack on Windows Vulnerabilities (20)

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Metasploit
MetasploitMetasploit
Metasploit
 
Meta sploit (cyber security)
Meta sploit (cyber security) Meta sploit (cyber security)
Meta sploit (cyber security)
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Open port vulnerability
Open port vulnerabilityOpen port vulnerability
Open port vulnerability
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Metasploit
MetasploitMetasploit
Metasploit
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 

Exploits Attack on Windows Vulnerabilities

  • 1. 1 | P a g e A Project Report On “ Exploiting Vulnerabilities Of Operating System Using Metasploits” Submitted By Mr.Amit Vikas Kumbhar To Mr.Sandeep Kumar Appin Technology Lab Jayanagar, Banglore IT Security and Ethical Hacking
  • 2. 2 | P a g e  Introduction.  Exploits.  Classification  Metasploit.  Histry of Metasploit  Use Of Metasploit  Metasploit Framework  Exploit.  Definition  Types Of Exploits  Payload.  Definition  Types Of Payload  Functions Of Payload  Graphical Overview of Metasploit  Steps for exploiting Vulnerabilities  Pre–Exploting Phase  Lab setup  Example 1)  Exploit :  Payload :  Example 2)  Exploit :  Payload : Contents Classification. Histry of Metasploit. Use Of Metasploit. Metasploit Framework. Definition. Types Of Exploits. Definition. Types Of Payload. Functions Of Payload. Graphical Overview of Metasploit. Steps for exploiting Vulnerabilities Exploting Phase. Exploit :- windows/dcerpc/ms03_026_dcom Payload :- windows/add_user Exploit :- windows/dcerpc/ms03_026_dcom Payload :- windows/generic_shell_bind_tcp windows/dcerpc/ms03_026_dcom windows/dcerpc/ms03_026_dcom windows/generic_shell_bind_tcp
  • 3. 3 | P a g e  Example 3)  Exploit :- windows/dcerpc/ms03_026_dcom  Payload :- windows/meterpreter/bind_tcp
  • 4. 4 | P a g e Introduction :- How tough is it to really compromise a system? Most security professionals are aware attacking and penetrating network devices is getting easier and attack sophistication is getting more complex. In large part this phenomenon is due to the old adage of "standing on the shoulders of giants." Many system researchers have uncovered the security weakness is common system design years ago, and as security professionals they shared the information. This allows someone with little understanding of system architecture to be able to perform more complex attacks than ever though possible. For a security professional it is possible to compromise a system without spending months learning a programming language and years learning system architecture. We can actually use technology to assist in performing penetration system penetration. Products like Core Security's Core Impact and Immunity's Canvas products have been providing this type of functionality for a few years now. These manufacturers do not just provide the technology, but they also provide training and support of their products to allow a qualified professional to perform a more methodological penetration test. It makes the task of compromising a system easier for a security administrator. The previously mentioned utilities are both fee based products, but more recently an open source product has become a common sight in penetration testing kits. This utility is called Metasploit™. Both Windows and Linux users can take advantage of the Metasploit™ product to perform a penetration test or system compromise. The utility itself is written in many programming languages including perl, C, and assembler. This environment provides many ready to use exploits and also allows for the security tester to customize them or to create their own exploit. The basic process for using the Metasploit™ console is not the most intuitive, but I think this was done to discourage the least skilled script kiddies from attempting to penetrate the system using this specific utility.
  • 5. 5 | P a g e Exploit s: An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. Vulnerability :- Vulnerability is a weakness which allows attacker to break into or compremise system security. Classification :- There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A 'remote exploit' works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A 'local exploit' requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits against client application lso exist, usually consisting of modified servers that send an exploit if accessed with client application. Exploits against client applications may also require some interaction with the user and thus may be used in combination with social engineering method. This is the hacker way of getting into computers and websites for stealing data. Another classification is by the action against vulnerable system: unauthorised data access,arbitrary code execution ,denial of service. Many exploits are designed to provide superuser -level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root. Normally a single exploit can only take advantage of a specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the
  • 6. 6 | P a g e software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other crackers. Such exploits are referred to as zero day exploits' and to obtain access to such exploits is the primary desire of unskilled attackers, often nicknamed script kiddies. Types :- Exploits are commonly categorized and named by these criteria:  The type of vulnerability they exploit (See the article on vulnerabilities for a list)  Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote).  The result of running the exploit (Eop, Dos, Spoofing, etc...) Pivoting :- Pivoting refers to method used by Penetration Testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping. Pivoting can further be distinguished into proxy pivoting and VPN pivoting: Proxy pivoting generally describes the practice channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from this computer. This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy.  VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic through that target machine, for example to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if she were behind the firewall. Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the Payload (software) of an exploit.
  • 7. 7 | P a g e “The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing,and security researchers world-wide.” History of Metasploit :- The Metasploit project was originally started as a network security game by four core developers. It then developed gradually to a Perl-based framework for running, configuring, and developing exploits for well-known vulnerabilities.The 2.1 stable version of the product was released in June 2004. Since then, the development of the product and the addition of new exploits and payloads have rapidly increased. The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research. The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit was created by HD Moore in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third-party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
  • 8. 8 | P a g e Like comparable commercial products such as Immunity's Canvas or Core Security Technologies'Core Impact, Metasploit can be used to test the vulnerability of computer systems in order to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added an commercial edition called Metasploit Express, while keeping the Metasploit Framework updated and free. Metasploit's emerging position as the de facto vulnerability development framework has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug. Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to discover software vulnerabilities in the first instance, rather than merely writing exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November, 2006. Metasploit use :- Metasploit came about primarily to provide a framework for penetration testers to develop exploits.The typical life cycle of a vulnerability and its exploitation is as follows: 1. Discovery :- A security researcher or the vendor discovers a critical security vulnerability in the software. 2. Disclosure :-The security researcher either adheres to a responsible disclosure policy and informs the vendor, or discloses it on a public mailing list. Either way, the vendor needs to come up with a patch for the vulnerability. 3. Analysis :-The researcher or others across the world begin analyzing the vulnerability to determine its exploitability. Can it be exploited? Remotely? Would the exploitation result in remote code execution, or would it simply crash the remote service? What is the length of the exploit code that can be injected? This phase also involves debugging the vulnerable application as malicious input is injected to the vulnerable piece of code.
  • 9. 9 | P a g e 4. Exploit Development :- Once the answers to the key questions are determined, the process of developing the exploit begins.This has usually been considered a bit of a black art, requiring an in-depth understanding of the processor’s registers, assembly code, offsets, and payloads. www.syngress.com 5. Testing :- This is the phase where the coder now checks the exploit code against various platforms, service pack, or patches, and possibly even for different processors (e.g., Intel, Sparc, and so on). 6. Release:- Once the exploit is tested, and the specific parameters required for its successful execution have been determined, the coder releases the exploit, either privately or on a public forum. Often, the exploit is tweaked so that it does not work right out of the box.This is usually done to dissuade script kiddies from simply downloading the exploit and running it against a vulnerable system.
  • 10. 10 | P a g e Metasploit Framework This modularity of allowing to combine any exploit with any advantage of the Framework: it facilitates the tasks of attackers, exploit writers, and payload writers. Versions of the Metasploit Framework since v3.0 are written in the Programming Language. The previous version 2.7, was implem runs on all versions of Unix (including Linux and Mac OS X), and also on Windows. It includes two command line interfaces native GUI. The web interface is intended to be run from the attacker's computer. The Metasploit Framework can be extended to use external add languages. To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with as nmap. Nessus can, in addition, detect the target system's Metasploit Framework : This modularity of allowing to combine any exploit with any payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, Versions of the Metasploit Framework since v3.0 are written in the Ruby . The previous version 2.7, was implemented in runs on all versions of Unix (including Linux and Mac OS X), and also on command line interfaces , a web-based interface and a native GUI. The web interface is intended to be run from the attacker's computer. Metasploit Framework can be extended to use external add-ons in multiple To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with Port scanning and OS fingerprinting in addition, detect the target system's vulnerabilities payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, Ruby ented in Perl. It runs on all versions of Unix (including Linux and Mac OS X), and also on based interface and a native GUI. The web interface is intended to be run from the attacker's computer. ons in multiple To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This OS fingerprinting tools such vulnerabilities.
  • 11. 11 | P a g e In April 2010, Rapid7 released Metaploit Express, which is a commercial version of Metasploit. Based on the Metasploit Framework, it offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection. Rapid7 has a full-featured 7-day trial for Metasploit Express. Exploits :- It is a code which allows an attacker to take advantage of vulnerable System. Exploit Types :-  Pretty much any protocol UDP, TCP, SMB, HTTP, FTP, SMTP, TFTP, SSH, etc  Active, Passive, Brute-Force  Remote, Local, User-Interaction (technically remote category)  Remote: windows/dcerpc/ms03_026_dcom  Local: no real local examples, but doable  User-Interaction--All your browser, “have to click on something,” type exploits  windows/browser/ms06_013_createtextrange Payloads :- Payload is Arbitrary code that is to be executed upon successful exploitation.It is a acutal code which run on the system after exploitation. Types Of Payloads :- 1) Single [shell_reverse_tcp = inline (single)] :-  A self-contained payload that performs a specific task  Size varies depending on the task  Example: Reverse or bind command shell
  • 12. 12 | P a g e 2) Stager [shell/reverse_tcp = stager] :-  A stub payload that loads / bootstraps a stage  Size generally much smaller than single payloads  Passes connection information onto the stage 3) Stage :-  Similar to a single payload, but takes advantage of staging.  Uses connection passed from the stager.  Not subject to size limitations of individual vulnerabilities  A stager can also be a stage Functions of Payloads :- Bind Shell: setup a socket, bind it to a specific port and listen for connection. Upon accepting a connection spawn a shell. Victim has to allow incoming connections on selected port. Reverse Shell: instead of binding to a port waiting for connection, the shellcode simply connect to a predefined IP and port number and spawn a shell. Find Tag: find socket style payloads that search for a socket based on the presence of a tag on the wire. Find_Port: payloads that search for a socket by comparing peer port names relative to the target machine. Ordinal Payloads: Uses static ordinals in WS2_32.DLL to locate symbol addresses. Leads to very tiny win32 stagers (92 byte reverse, 93 byte findsock) Reverse Http: called PassiveX payloads in 2.x. Tunnel communication over HTTP using IE 6. Payload modifies registry and launches IE, IE loads custom ActiveX control to stage the payload, Uses standard IE proxy and authorization settings, Can be used to inject VNC, Meterpreter, custom dlls. Adduser: Executes the net user x x /add & net localgroup administrators x /add Downloadexec: Download a .exe from a URL and execute it
  • 13. 13 | P a g e Uploadexec: uploads a .exe from local computer and executes Exec: execute a command of your choice Dllinject: injects a custom dll (you'll have to supply the dll) VNCinject: injects a custom VNC server dll into memory Meterpreter: the super payload, custom dll injected into memory (more on Day2); tons of postexploitation tools Opcode Database The Opcode Database is an important resource for writers of new exploits. Buffer overflow exploits on Windows often require precise knowledge of the position of certain machine language opcodes in the attacked program or included DLLs. These positions differ in the various versions and patch-levels of a given operating system, and they are all documented and conveniently searchable in the Opcode Database. This allows one to write buffer overflow exploits which work across different versions of the target operating system. Shellcode Database The Shellcode database contains the payloads (also known as shellcode) used by the Metasploit Framework. These are written in assembly language and full source code is available.
  • 14. 14 | P a g e Graphical Overview of Metasploit :- Steps for exploiting Vulnerabilities :- 1. Choosing and configuring an exploit(code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for windows, Unix/Linux and Mac OS systems are included); 2. Checking whether the intended target system is susceptible to the chosen exploit (optional); 3. Choosing and configuring a Payload (code that will be executed on the target system upon successful entry, for instance a remote shell or aVNC Server); 4. Choosing the encoding technique to encode the payload so that the Intrusion Prevention System (IPS) will not catch the encoded payload; 5. Executing the exploit.
  • 15. 15 | P a g e  Pre–Exploiting Phase :- Using exploit for penetration testing is legal, hence if you want to penetratate your own system environment will not be illegal. But as I don’t have the real time environment I have created it using some third party softwares and operating systems as given below. 1) Install Vmware/Virtual PC which allows you to install various operating systems to use it at the same time.These softwares also creates a virtual network between the host operating systems and the own operating system.so the beginners can do the real practices or penetration on his own. 2) Install Metasploit Framework on the attackers system and start penetrating systems on the host operating systems installed in vmware.  Lab Setup  Own operating system – Windows XP professional Service pack 3 IP Address – 192.168.23.1  Host operating system 1 – Windows XP professional 2002 Services pack 1 IP Address – 192.168.23.131  Host operating system 2 – Windows XP professional Services pack 2 IP Address – 192.168.23.133
  • 16. 16 | P a g e  Exploiting Vulnerability :- 1) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- Windows/adduser Rort :- 135 Rhost :- 192.168.23.131 Steps - Click on msfconsole on program list on start buttons.it show the below,
  • 17. 17 | P a g e Steps – use any exploit from list of exploits using keyword “use” following with exploit name.
  • 18. 18 | P a g e Steps – watch exploits options “show options” to fill with appropriate values with “set ” keyword.
  • 19. 19 | P a g e Steps – This is the target host operating system on vmware on whos IP address is 192.168.23.131
  • 20. 20 | P a g e Steps – set the value of RHOST with target IP address. set other default values if you want to change.
  • 21. 21 | P a g e Steps - To see the list of PAYLOADS use command “Show payloads” and select the PAYLOAD you want to set with keyword following with PAYLOAD name.
  • 22. 22 | P a g e Steps - Type “show option ” again to set values of PAYLOADS and set it appropriately. set TARGET the same as the target operating system if there are multiple targets shown in options .
  • 23. 23 | P a g e Steps - To exploit the vulnerability type the keyword “exploit” it will start attacking on the given target system.
  • 24. 24 | P a g e Steps – Target system after exploiting the vulnerability it created a new user account “Metasploit ” with password “metasploit” with administrator privileges.
  • 25. 25 | P a g e 2) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- generic/shell_bind_tcp Rort :- 135 Rhost :- 192.168.23.131 Steps – select any exploit.
  • 26. 26 | P a g e  The Target systems IP address.
  • 27. 27 | P a g e  Step - set IP address of target system as “set HOST ” following with ip.
  • 28. 28 | P a g e  Step – set PAYLOAD generic/shell_bind_tcp
  • 29. 29 | P a g e  Step :- use exploits to execute attack on the Target system
  • 30. 30 | P a g e  Step :- Browsing the target system. Created a Folder named “system Hacked” on the Desktop.
  • 31. 31 | P a g e Screen shot :- These is the screen shot of the target system after attack where you can see the folder named “Hacked system” which is remotely created by the attacker which identifies the system is vulnerable. Remotely created folder on target system
  • 32. 32 | P a g e 3) Exploit :- windows/dcerpc/ms03_026_dcom Payload :- Windows/meterpreter/bind_tcp Rort :- 135 Rhost :- 192.168.23.133  Windows/dcerpc/ms-3_026_dcom exploit is selected to exploit the target system vulnerabilities.
  • 33. 33 | P a g e  Here the options are checked using the command show options
  • 34. 34 | P a g e  In this step the PAYLOAD windows/meterpreter/bind_tcp is set to attack on the target system.
  • 35. 35 | P a g e  This step starts exploiting the target system.
  • 36. 36 | P a g e  Here Using “ipconfig ” command the IP address and other useful information is carried out.
  • 37. 37 | P a g e  Using metasploit core commands we can read,write or delete the data on the target sytem as show below.
  • 38. 38 | P a g e  Here as per the file extension type or file name type we can search any file on any directory as show below I typed “search –d c: -f * .txt” to search all text files which shows following result.
  • 39. 39 | P a g e  As per search I found some file named “Confidential.txt” on the desktop of user “meet” so I went on the path where the file exsist and Downloaded with the command “Download confidential.txt”
  • 40. 40 | P a g e  Previously downloaded file is copided in the local attackers system in the folder of the “Metasploit” in Program Files as show below, Downloaded confidential file from Target system remotely
  • 41. 41 | P a g e  Here is the file we downloaded from the attackers system as we can see it resides on the desktop.
  • 42. 42 | P a g e  Here we deleted that file from the storage device of the target system.
  • 43. 43 | P a g e  Now you can see that the file we deleted is not visible on the desktop as we know it is deleted.
  • 44. 44 | P a g e Bibilography  www.exploits.com  www.google.com  www.wikipedia.com 