Updated Metasploit Presentation

CUCyber · Oct 4, 2018 · abf262d · abf262d
1 parent ada09ae
commit abf262d
Showing 1 changed file with 70 additions and 109 deletions.
diff --git a/pentesting/metasploit.md b/pentesting/metasploit.md
@@ -1,6 +1,6 @@
 # Intro To Metasploit
 
-By: Mackenzie Binns
+By: Mackenzie Binns and Nick Bulischeck
 
 CU Cyber
 
@@ -13,80 +13,22 @@ Visit [cucyber.net](https://cucyber.net/) to find these presentations and more o
 
 
 
-# What is Metasploit
+## What is Metasploit?
 
+Note:
+Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities.
 
-## It's Not Latin
-
-* The root term in Metasploit is "-sploit"
-* Metasploit is primarily an exploitation framework that uses "payloads" to perform a defined set of operations to compromise a system
-
-
-## Payloads
-
-* A payload is what Metasploit uses to preform exploits
-* Automated exploit on a system that matches criteria for the payload
-* Payload can facilitate creating a remote shell on the system
 
-Note:
-e.g. a system that has heartbleed vulnerable OpenSSL v1 & 2
+## Setting Up MSF
 
 
-## Database
+### Database
 
 * Metasploit uses a PostgreSQL Database to manage work flows and information
 * This database can hold recovered usernames, passwords, sessions, etc.
 
 
-
-# Setting up Database
-
-
-## Ubuntu Installation
-
-```bash
-sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
-
-wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
-```
-
-* You then need to update your package manager to recognize the new repository
-
-```bash
-sudo apt-get update
-
-sudo apt-get install postgresql postgresql-contrib
-```
-
-Note:
-* After all this is done you will now have a user on your system called 'postgres'
-* This user will have the role 'postgres' and you will be able to log in as this user to preform administration of the DB
-* You may want to change this user's password using `passwd`
-
-
-## Fedora Installation
-
-* Install PostgreSQL on your system
-
-```bash
-sudo dnf install postgresql-server postgresql-contrib
-```
-
-* On Fedora, postgres is turned off and disabled by default
-* To enable it, run the command of your choice below
-
-```bash
-# To start the server at start up
-sudo systemctl enable --now postgresql
-```
-
-```bash
-# To run the server as needed
-sudo systemctl start postgresql
-```
-
-
-## Kali Linux
+#### Kali Linux
 
 * Setting up the database is much easier in Kali Linux
 * First you must start the postgres service
@@ -101,10 +43,8 @@ service postgresql start
 msfdb init
 ```
 
-* Done!
-
 
-## Initializing the Database
+### Initializing the Database
 
 * Before PostgreSQL can work correctly you must initialize a database
 * Switch your user to the 'postgres' user using either
@@ -132,7 +72,7 @@ Note:
     - If root is under home then make sure you turn off the `ProtectHome` option
 
 
-## Creating the msf database
+### Creating the msf database
 
 * We need to create a user that Metasploit will connect to the database with
 
@@ -152,10 +92,10 @@ Note:
 
 
 
-# Setting Up Metasploit
+## Setting Up Metasploit
 
 
-## Connect Metasploit to the DB
+### Connect Metasploit to the DB
 
 * Now we need to tell Metasploit
     - What user to connect to the database with
@@ -181,10 +121,10 @@ Note:
 
 
 
-# Metasploit Info
+## Metasploit Info
 
 
-## Module types
+### Module types
 
 * Everything in Metasploit is a module
 * 6 types of modules
@@ -196,75 +136,96 @@ Note:
     - nop
 
 
-### Auxiliary
+#### Auxiliary
 
 * Modules that are good for information gathering
 * Port scanning
 * Version detection
 * Network traffic analysis
 
 
-### Exploit
+### Exploits
+
+* Weaponized code that targets a vulnerability on a system
+* Only works on systems that match the specific exploit criteria
 
-* The code that will take advantage of a vulnerability
-* This could be used, for example, to exploit a buffer overflow
 
+### Payloads
 
-### Payload
+* A payload is what Metasploit uses to execute specific actions on a remote system post-exploitation
+ - Open a remote shell
+ - Meterpreter session
+* Comes in 3 main forms:
+ - Inline (Non Staged)
+ - Stagers
+ - Stages
 
-* This is typically done after a successful exploit
-* Can be used to preform an action on the server once compromised
-    - Open a remote shell
-    - Meterpreter session
+Note:
+* Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe.
+* Stagers setup a network connection between the attacker and victim and are designed to be small and reliable.
+* Stages are payload components that are downloaded by Stagers modules.
+
+
+#### Payload Types
+
+* Inline (Non Staged)
+* Stager
+* Meterpreter
+* PassiveX
+* NoNX
+
+Note:
+* Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques
+* PassiveX is a payload that can help in circumventing restrictive outbound firewalls. It does this by using an ActiveX control to create a hidden instance of Internet Explorer
+* NoNX is designed to circumvent DEP on Windows.
 
 
-### Post
+#### Post
 
 * This is typically done after a successful exploit and remote connections are set
-* This is used for
-    - Collecting passwords
-    - Setting up key loggers
-    - Downloading files
+* This is used for:
+ - Collecting passwords
+ - Setting up key loggers
+ - Downloading files
 
 
-### Encoder
+#### Encoder
 
-* Programs for performing encryption
+* Programs for performing encryption/character removal
+
+Note:
+* When creating an Exploit Payload, we have several things to consider, from the operating system architecture, to anti-virus, IDS, IPS, etc.
+* By default Metasploit will select the best encoder to accomplish the task at hand. The encoder is responsible for removing unwanted characters (amongst other things) entered when using the -b switch.
 
 
-### NOP
+#### NOP
 
 * NOP generators for creating assembly code that does nothing
 
+Note:
+* In evading detection of our exploits, we will want to encode our payloads to remove any bad characters and add some randomness to the final output using NOPs.
 
 
-# Searching Metasploit
+## Searching Metasploit
 
 
-## Search Filters
+### Search Filters
 
 * Searching with the database is very fast
 * Search fields
-    - app
     - author
     - type
     - name
     - platform
     - bid,cve,edb,osvdb,ref
 
 
-### App
-
-* Client
-* Server
-
-
-### Author
+#### Author
 
 * Module author
 
 
-### Type
+#### Type
 
 * auxiliary
 * exploit
@@ -274,27 +235,27 @@ Note:
 * nop
 
 
-### Name
+#### Name
 
 * Any phrase
 
 
-### Platform
+#### Platform
 
 * The type of thing you are looking at attacking
 * E.g. Windows, Linux, Python, Ruby, Cisco, etc.
 
 
-### Searching Exploit Databases
+#### Searching Exploit Databases
 
 * Allows you to search CVE exploit ID's
 
 
 
-# Using Metasploit
+## Using Metasploit
 
 
-## man use
+### man use
 
 * `use <exploit>` will load the exploit and allow you to use it
 
@@ -309,7 +270,7 @@ info <path to exploit>
 ```
 
 
-## Firing Off an Exploit!
+### Firing Off an Exploit!
 
 * After you select an exploit to use, you must configure the setting to match your target
 
@@ -320,7 +281,7 @@ show options
 * Show options will provide a list of things you need/would like to configure before the exploit can be used
 
 
-### Show options basics
+#### Show options basics
 
 * `RHOST` - Remote host, typically an IP address or a DNS name of the target
 * `RHOSTS` - Same as `RHOST` but can define multiple targets
@@ -332,7 +293,7 @@ Note:
 Word lists can be found online, ROCKYOU is a good starting point.
 
 
-## Payloads
+### Payloads
 
 * You can run exploits with out a payload
 * They will do nothing for you and you will not be able to do anything to the machine