SlideShare a Scribd company logo

Metasploit primary

n|u - The Open Security Community
n|u - The Open Security Community

The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.

Related slideshows

Burp suite
Burp suiteBurp suite
Burp suite
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
1 of 26
Download to read offline
METASPLOIT FRAMEWORK PRIMER Null-OWASP Bangalore 18th January, 2020
AGENDA • Introduction • Scenario • Definitions • Msfconsole • Demo • Sources • QnA
INTRODUCTION Created in 2003 by HD Moore Open Source Automates assessments Pentester’s Swiss Chainsaw Vulnerability Research Modular & customizable Multiple AttackVectors Used by Red & BlueTeamers and alike
DEFINITIONS • Vulnerability – “weakness in a system allowing an attacker to violate the confidentiality, integrity, availability, access control, consistency or audit mechanisms of the system or the data and applications it hosts”
• Exploit – “a software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.” • Payload – “an explosive warhead carried by an aircraft or missile.” “piece of code to be executed through said exploit”
• PenetrationTesting – “practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.” • Modules – “piece of software that the Metasploit Framework uses to perform a task, such as exploiting or scanning a target. A module can be an exploit module, auxiliary module, or post-exploitation module.”
• Remote Code/Command Execution – “…an attacker is able to run code/command of their own, choosing with system level privileges on a server that possesses the appropriate weakness.” • Backdoor – “covert method of bypassing normal authentication or encryption” “secret portal that hackers and intelligence agencies use to gain illicit access.”
Exploit =Vulnerability + Payload
SCENARIO ag3ntggwp, you’re given a task. You have to test an entire subnet, enumerate the running services, look out for exploits that are public and any of the services that are vulnerable. Once you confirm, you also need to show a Proof of Concept. Once done, you’re free to go. All your charges will be dropped for life.
Your thoughts?
Metasploit primary
Enter Metasploit
• Console based interface • Full read-line support, tabbing, and command completion • Run system commands from within the console • In need of help, “help” shall save thou msfconsole
You have succeeded in life when all you really want is only what you really need
search <operator>:<value> • regular-expression based search functionality • module name, path, platform, author, CVE ID, BID, OSDVB ID, module type, or application • Operators: name author platform type app cve • eg: search cve:CVE-2011-2523
• changes your context to a specific module • Global variables set are unchanged • eg: use auxiliary/scanner/portscan/tcp use <module_path>
• displays every module contained in Metasploit • eg: show auxiliary show exploits show payloads show options show <module_type>
• configure Framework options and parameters • setg sets global parameters • Payload combinations using set • eg: set RHOSTS 192.168.56.102 set <param> <value>
Metasploit primary
RUN.
IMPORTANT
• Metasploit won’t make you a Hacker. • Metasploit won’t make you a Hacker. • Metasploit won’t make you a Hacker.
Demo :)
Sources • https://www.offensive-security.com/metasploit- unleashed/ • https://medium.com/@hakluke/haklukes-guide-to- hacking-without-metasploit-1bbbe3d14f90 • https://www.sciencedirect.com/topics/computer- science/metasploit-framework • https://github.com/rapid7/metasploit-framework • HackerSploitYouTubeTutorials • Metasploitable 2
QUESTIONS?
ABOUT ME Hyper-curious ASE-T - TCS Limited Musician IdeaEngine007

More Related Content

Metasploit primary

  • 1. METASPLOIT FRAMEWORK PRIMER Null-OWASP Bangalore 18th January, 2020
  • 2. AGENDA • Introduction • Scenario • Definitions • Msfconsole • Demo • Sources • QnA
  • 3. INTRODUCTION Created in 2003 by HD Moore Open Source Automates assessments Pentester’s Swiss Chainsaw Vulnerability Research Modular & customizable Multiple AttackVectors Used by Red & BlueTeamers and alike
  • 4. DEFINITIONS • Vulnerability – “weakness in a system allowing an attacker to violate the confidentiality, integrity, availability, access control, consistency or audit mechanisms of the system or the data and applications it hosts”
  • 5. • Exploit – “a software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.” • Payload – “an explosive warhead carried by an aircraft or missile.” “piece of code to be executed through said exploit”
  • 6. • PenetrationTesting – “practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.” • Modules – “piece of software that the Metasploit Framework uses to perform a task, such as exploiting or scanning a target. A module can be an exploit module, auxiliary module, or post-exploitation module.”
  • 7. • Remote Code/Command Execution – “…an attacker is able to run code/command of their own, choosing with system level privileges on a server that possesses the appropriate weakness.” • Backdoor – “covert method of bypassing normal authentication or encryption” “secret portal that hackers and intelligence agencies use to gain illicit access.”
  • 9. SCENARIO ag3ntggwp, you’re given a task. You have to test an entire subnet, enumerate the running services, look out for exploits that are public and any of the services that are vulnerable. Once you confirm, you also need to show a Proof of Concept. Once done, you’re free to go. All your charges will be dropped for life.
  • 13. • Console based interface • Full read-line support, tabbing, and command completion • Run system commands from within the console • In need of help, “help” shall save thou msfconsole
  • 14. You have succeeded in life when all you really want is only what you really need
  • 15. search <operator>:<value> • regular-expression based search functionality • module name, path, platform, author, CVE ID, BID, OSDVB ID, module type, or application • Operators: name author platform type app cve • eg: search cve:CVE-2011-2523
  • 16. • changes your context to a specific module • Global variables set are unchanged • eg: use auxiliary/scanner/portscan/tcp use <module_path>
  • 17. • displays every module contained in Metasploit • eg: show auxiliary show exploits show payloads show options show <module_type>
  • 18. • configure Framework options and parameters • setg sets global parameters • Payload combinations using set • eg: set RHOSTS 192.168.56.102 set <param> <value>
  • 20. RUN.
  • 22. • Metasploit won’t make you a Hacker. • Metasploit won’t make you a Hacker. • Metasploit won’t make you a Hacker.
  • 24. Sources • https://www.offensive-security.com/metasploit- unleashed/ • https://medium.com/@hakluke/haklukes-guide-to- hacking-without-metasploit-1bbbe3d14f90 • https://www.sciencedirect.com/topics/computer- science/metasploit-framework • https://github.com/rapid7/metasploit-framework • HackerSploitYouTubeTutorials • Metasploitable 2
  • 26. ABOUT ME Hyper-curious ASE-T - TCS Limited Musician IdeaEngine007