Monday, 7 May 2012

Post Exploitation & Meterpreter Scripting -Metasploit



Metasploit has now become the king of tools used in penetration testing. It’s comprised of a collection of all available exploits. The tool has its pros and cons; 
Some advantages are:
  • It automates the process of penetration testing.
  • Fast (less time require).
  • Reliable.
  • It offers a lot of advanced features that we will discuss step by step .
Just as a comparison between automatic and manual penetration testing and vulnerability assessment approaches: the automatic process is fast but in some cases does not give the desired result. Manual testing is slow, but more precise and we cannot neglect it. As far as disadvantages go, metasploit does not have one, excepting the possibility that automatic tools do not always work. The point being, metasploit only has the available exploits. If the server’s software is fully patched, then metasploit would fail. (There are many methods of using metasploit. Here, “fail” means to exploit the available vulnerability.) This being the case, we will surely need to implement a manual test to find the 0-day vulnerability. This then is the weakness of metasploit. However, metasploit is the hot topic among penetration testers, and many advances have been made. The security community is currently working to make metasploit even more useful.

Metasploit is based on module system. From this point onward, I will assume that you are aware of basic usage of metasploit, like about msfconsole, meterpreter, exploits, payload and auxiliary module.

Post Exploitation

The main objective in discussing post exploitation is to cover meterpreter scripting. Post exploitation is the technique/ method /procedure or standard to identify and to monitor a target host, to find the way of future access.

What is post exploitation? Why is post exploitation important? Some of these questions are important to understand the phenomena, so let us suppose you have successfully hacked (compromised) a host, but you want to use this session for some other time. It is not a good practice to start things all over again. Moreover, what of you fail next time? Therefore, the best method is to prepare the compromised system for the next use. The other phase of post exploitation is to use the compromised host as an attacker machine and to attack on some other host or network via this compromised machine. Consider the picture below:


Now the above diagram shows the importance of post exploitation. Let us suppose that an attacker has successfully compromised the victim A. Now, the attacker wants to go on the web server, so for victim A, the web server is on the network. To hack on the same network is very easy: instead of a remote attack for this purpose, the attacker can use victim A as its own machine to attack on the network. This is what’s known as the post exploitation phase.

To conclude, the post exploitation attack is the process of:

  • Infrastructure analysis.
  • Routing analysis.
  • Protocol analysis.
  • DNS server analysis.
  • ARP analysis.
  • Proxy server analysis.
  • Host machine analysis (virtual or real host).
  • Services and software’s analysis.
  • Sharing analysis.
  • Directory, name server and certificates analysis.
  • Backup and patch management analysis.
To be continued :
This is an introductory part of the article that discuss the foundation of post exploitation, in the next article of this series we will discuss the practical of meterpreter scripting.

No comments:

Post a Comment