Metasploit on the edge

Metasploit on the edge originally aired on digitalcliff.spaces.live.com

 The following is based on my experiences and (limited) knowledge. I am not an expert in anything, nor will I likely ever be one. My hope is that this might help someone, somewhere, sometime. If nothing else, it might be a good start for discussion.

 Preamble

 This exercise is for educational use only, and is intended to be used in a lab environment, or as part of an authorized pentest. Please always ensure any scans or changes to systems are part of your pentest scope and comply with your rules of engagement.

 The following series of posts will walk through a fairly contrived example of how Metasploit can be used to exploit a client behind a firewall and from there be used to dig further into the network, with a final goal of  remote desktop access to a Windows server. The purpose is not to go into great detail, but instead show the power of Meterpreter, its extensions and scripts.

 Part 1 – The setup

Requirements

Before we can begin we need to setup our environment. I will be using VMware and sometimes VirtualBox, but any virtualization software or even a physical setup will work.

If you are looking for a real fun lab to test against, sign up for the Pentesting with Backtrack course from http://www.information-security-training.com. Not only do you get the excellent courseware, but the lab environment and the learning opportunities are amazing.

 Background

My attack machine will be a Backtrack 4 virtual machine, but any machine with Metasploit and some form of remote desktop client will work.

 Our victims will be various windows machines (make sure the are licensed, or use demo versions) behind a firewall that blocks internet traffic from entering, but allows client access to the internet. Our ultimate target is a Windows server that is located in the “secure” dmz.

Process

At a high level our plan of attack will be

            Exploit the client. 

            Scan the internal environment with Metasploit.

            Exploit our next victim.

            Use the second victim to explore and attack the final victim, the windows server.

            Complete the attack by accessing the remote desktop of the windows server.

Along the way, we will demo some client side exploits (a browser exploit and a pdf exploit), use the Meterpreter functions for pivoting (route and portfwd), some Meterpreter extensions (sniffer, incognito), creating a reverse Meterpreter executable and using some post exploitation scripts.

Next steps

Exploiting the client