ndice

ndice
Introduccin .......................................................................................................................................................9
Captulo I Conceptos bsicos .......................................................................................................................... 11
'HQLFLRQHV ..................................................................................................................................................................... 11
6RIWZDUHDEOHYV6RIWZDUHVHJXUR .............................................................................................................................. 11
Bug................................................................................................................................................................................ 11
Exploit .......................................................................................................................................................................... 12
Payload ......................................................................................................................................................................... 12
Shellcode ...................................................................................................................................................................... 12
0-day exploit ................................................................................................................................................................. 13
%XIIHU2YHURZ ............................................................................................................................................................ 14
SQL Injection................................................................................................................................................................ 14
XSS (Cross-Site Scripting) ........................................................................................................................................... 14
Metasploit ..................................................................................................................................................................... 15
Mdulos ........................................................................................................................................................................ 15
,QWHUIDFHV0HWDVSORLW .................................................................................................................................................... 15
+HUUDPLHQWDVGHOIUDPHZRUN ........................................................................................................................................ 17
Arquitectura de Metasploit ........................................................................................................................................... 19
Tipos de mdulos en Metasploit IUDPHZRUN ................................................................................................................ 20
2. Versiones de Metasploit ................................................................................................................................................... 21
Metasploit Community Edition .................................................................................................................................... 21
Metasploit Pro............................................................................................................................................................... 22
Metasploit Express ....................................................................................................................................................... 22
3. El test de intrusin o pentest ............................................................................................................................................ 23
4. Fases del test de intrusin ................................................................................................................................................ 24
El contrato: alcance y trminos del test de intrusin .................................................................................................... 25
5HFROHFFLyQGHLQIRUPDFLyQ ......................................................................................................................................... 25
Anlisis de vulnerabilidades ......................................................................................................................................... 25
Explotacin de las vulnerabilidades ............................................................................................................................. 26
Post-explotacin del sistema ........................................................................................................................................ 26
*HQHUDFLyQGHLQIRUPHV ................................................................................................................................................ 27
5. Comandos bsicos de Metasploit..................................................................................................................................... 27
Comandos de ayuda y bsqueda................................................................................................................................... 29
&RPDQGRVGHLQWHUDFFLyQ\FRQJXUDFLyQ.................................................................................................................... 30
Comandos de base de datos .......................................................................................................................................... 34
6. Notas ticas ...................................................................................................................................................................... 37

Captulo II Preliminares ..................................................................................................................................39

1. mbito ............................................................................................................................................................................ 39
5HFRJLGDGHLQIRUPDFLyQ ................................................................................................................................................. 40
Tcnicas pasivas ........................................................................................................................................................... 40
Tcnicas activas ............................................................................................................................................................ 44
3. Escneres de vulnerabilidades ......................................................................................................................................... 51
&RPSDWLELOLGDGFRQORVFKHURVGHLQIRUPDFLyQGHHVFiQHUHV ..................................................................................... 51
Escner nessus e importacin de datos ......................................................................................................................... 52
Escner MBSA e importacin de datos ........................................................................................................................ 55
Tcnica Autopwn .......................................................................................................................................................... 55

JJJ

Metasploit para Pentesters

4. Escneres dirigidos a servicios ........................................................................................................................................ 60

El objetivo..................................................................................................................................................................... 60
Herramientas auxiliary en Metasploit........................................................................................................................... 60

Captulo III El arte de la intrusin.................................................................................................................63

1. mbito ............................................................................................................................................................................. 63
2. Payloads ........................................................................................................................................................................... 64
3. Intrusin sin interaccin ................................................................................................................................................. 66
PoC: La primera intrusin ............................................................................................................................................ 66
PoC: Denegacin de servicio y las prdidas................................................................................................................. 68
4. Intrusin con interaccin ................................................................................................................................................. 70
PoC: Los archivos adjuntos pueden ser muy peligrosos .............................................................................................. 71
3R&4XLFN7LPH\VXVFRQH[LRQHVSRU5XEpQ6DQWDPDUWD .......................................................................................... 73
'DUN6KDGRZVHOPXQGRRVFXUR\UHDO ........................................................................................................................ 76
PoC: La tcnica Browser Autopwn .............................................................................................................................. 77
5. Automatizando las rdenes .............................................................................................................................................. 80
Ejemplo: Descubrimiento bsico .................................................................................................................................. 81
Creacin de un resource script...................................................................................................................................... 83
6. Servidores Rogue ............................................................................................................................................................. 84
PoC: Rogue DHCP,)DNH DNS y Applet de Java ......................................................................................................... 85
)DNH DNS por Jos Selvi .............................................................................................................................................. 89
3HUVRQDOL]DFLyQ\DFWXDOL]DFLyQGHOIUDPHZRUN .............................................................................................................. 91
Actualizacin controlada de recursos ........................................................................................................................... 91
(MHPSOR'HVFDUJDGHH[SORLW\DGLFLyQDOIUDPHZRUN................................................................................................. 92

Captulo IV Meterpreter & Post-Explotation ...............................................................................................95

1. mbito ............................................................................................................................................................................. 95
2. Comandos bsicos de Meterpreter ................................................................................................................................... 96
Core commands ............................................................................................................................................................ 97
Stdapi ............................................................................................................................................................................ 99
Priv.............................................................................................................................................................................. 104
3. Scripts de Meterpreter.................................................................................................................................................... 106
ZLQHQXPHOLQIRUPDGRU ............................................................................................................................................. 107
Los scripts get ............................................................................................................................................................. 109
Los scripts post ........................................................................................................................................................... 112
Los multi scripts ......................................................................................................................................................... 119
4. Mdulos de Meterpreter ................................................................................................................................................ 120
Mdulo: Espia............................................................................................................................................................. 121
Mdulo: Incognito ...................................................................................................................................................... 121
3R&5HFXSHUDQGRKDVKHV60%FRQVQDUIBKDVKHV..................................................................................................... 123
0yGXOR6QLIIHU .......................................................................................................................................................... 124
PoC: Espiando la red de la vctima............................................................................................................................. 125
5. Pass the hash .................................................................................................................................................................. 129
Teora de credenciales Windows ................................................................................................................................ 129
PoC: Llegando ms lejos gracias a la suplantacin de identidades ............................................................................ 131
6. Pivoting .......................................................................................................................................................................... 136
7. Persistencia .................................................................................................................................................................... 136
PoC: Metsvc y la conexin directa ............................................................................................................................. 137
PoC: Persistence y la conexin inversa ...................................................................................................................... 139
8. Migracin a un proceso ................................................................................................................................................. 141
PoC: De proceso a proceso capturando pulsaciones .................................................................................................. 142
9. Scraper ........................................................................................................................................................................... 143

JJJ

ndice

10. Actualizando de cmd a Meterpreter ............................................................................................................................. 144

11. Railgun ......................................................................................................................................................................... 144
2WUDV3R&LQWHUHVDQWHV ................................................................................................................................................. 146
3R&0HWHUSUHWHUWUR\DQRV\URRWNLWVHGXFDWLYRV ...................................................................................................... 146
3R&([SORWDGRHLQIHFWDGR ........................................................................................................................................ 149
PoC: Volcado de memoria remota y anlisis .............................................................................................................. 151
PoC: VNC Payload ..................................................................................................................................................... 154
3R&3RUWIRUZDUGLQJ .................................................................................................................................................. 156

Captulo V Otras msf tools ............................................................................................................................159

PVIWRROV......................................................................................................................................................................... 159
0VIFOL(OSRGHUGHODOtQHD............................................................................................................................................ 160
0RGRVGHPVIFOL ......................................................................................................................................................... 161
%HQHFLRVGHOXVRGHPVIFOL ....................................................................................................................................... 163
Teora de conexiones .................................................................................................................................................. 164
PoC: Servidor de exploits y mquina privada para las sesiones................................................................................. 166
0VISD\ORDGSD\ORDGDJXVWRGHOFRQVXPLGRU ............................................................................................................... 168
0RGRVGHPVISD\ORDG................................................................................................................................................. 168
3R&2EWHQFLyQGHSD\ORDGSDUDLPSOHPHQWDFLyQHQH[SORLW..................................................................................... 171
PoC: Creacin de un troyano casero........................................................................................................................... 173
PoC: Creacin de un paquete DEB malicioso ............................................................................................................ 176
Payloads Vs Antivirus................................................................................................................................................. 178
0VIHQFRGH(YDGLUODGHWHFFLyQ..................................................................................................................................... 179
&RGLFDFLyQFRQPVIHQFRGH....................................................................................................................................... 180
3R&&UHDFLyQGHXQHMHFXWDEOHFRGLFDGR ................................................................................................................ 181
&RGLFDFLyQP~OWLSOH ................................................................................................................................................. 182
3R&&UHDFLyQGHXQHMHFXWDEOHPXOWLFRGLFDGR........................................................................................................ 182
Teora sobre ejecutables personalizados y sigilosos ................................................................................................... 183
PoC: Creacin de un ejecutable personalizado........................................................................................................... 184
PoC: Creacin de un ejecutable personalizado y sigiloso .......................................................................................... 185
0VIYHQRP3D\ORDG\HYDVLyQ ....................................................................................................................................... 188
%HQHFLRVGHOXVRGHPVIYHQRP ................................................................................................................................ 188
2SFLRQHVGHPVIYHQRP .............................................................................................................................................. 189
&UHDFLyQGHVKHOOFRGHFRGLFDGR ............................................................................................................................... 190
3R&&UHDFLyQGHHMHFXWDEOHFRGLFDGRFRQPVIYHQRP ............................................................................................ 191
0VIG*HVWLyQUHPRWD .................................................................................................................................................... 192
2SFLRQHVGHPVIG ....................................................................................................................................................... 192
PoC: Conexin en un puerto personalizado y preparando exploit ............................................................................. 193
7. Manipulacin de memoria ............................................................................................................................................. 195
0VIHOIVFDQ\PVISHVFDQ.............................................................................................................................................. 195

Captulo VI Ingeniera social con SET.........................................................................................................197

1. Ingeniera social ............................................................................................................................................................. 197
2. Qu es y qu propone? ................................................................................................................................................. 198
&RQJXUDFLyQGH6(7................................................................................................................................................. 200
3. Vector de ataque: phishing ............................................................................................................................................. 201
PoC: Ataque dirigido a un dominio ............................................................................................................................ 201
4. Vector de ataque: web .................................................................................................................................................... 205
PoC: Recolectando credenciales................................................................................................................................. 206
PoC: JAVA applet ....................................................................................................................................................... 209
0HGLRVLQIHFWDGRV .......................................................................................................................................................... 212
6. Payloads como ejecutables ............................................................................................................................................ 213

JJJ

Metasploit para Pentesters

7. Dispositivos USB HID .................................................................................................................................................. 213

8. Ataques por correo electrnico ...................................................................................................................................... 214
)DOVLFDFLyQGH606 ..................................................................................................................................................... 215
10. Vector de ataque: Wireless ........................................................................................................................................... 216
11. Vector de ataque QRCode ............................................................................................................................................ 218
PoC: Ingeniera social con un QRCode malicioso ..................................................................................................... 218
12. Vector de ataque PowerShell ....................................................................................................................................... 219
PoC: Inyeccin de Meterpreter a travs de PowerShell ............................................................................................. 220
3R&(OPXQGRGHOVSRRQJ\6(7 ............................................................................................................................. 221

Captulo VII Ms all con Fast-Track .........................................................................................................225

1. Qu es y para qu sirve? .............................................................................................................................................. 225
)DVW7UDFN\VXVSRVLEOHVHMHFXFLRQHV ........................................................................................................................... 225
)DVW7UDFNLQWHUDFWLYR ................................................................................................................................................. 226
)DVW7UDFNOtQHDGHFRPDQGRV .................................................................................................................................... 228
)DVW7UDFNYtDZHE ..................................................................................................................................................... 229
7XWRULDOHVHQ)DVW7UDFN ................................................................................................................................................ 230
&RQJXUDFLyQGH)DVW7UDFN ......................................................................................................................................... 231
5. Funcionalidades ............................................................................................................................................................. 232
Autopwn Automation ................................................................................................................................................. 232
Nmap Scripting Engine .............................................................................................................................................. 234
0LFURVRIW64/7RROV .................................................................................................................................................. 234
0DVV&OLHQW6LGH$WWDFN ............................................................................................................................................. 236
Exploits ....................................................................................................................................................................... 237
Binary to Hex Payload Converter............................................................................................................................... 237
Payload Generator ...................................................................................................................................................... 238
&RQFLHQFLDVREUH)DVW7UDFN ......................................................................................................................................... 240
5HH[LyQVREUHKHUUDPLHQWDVH[WHUQDVD0HWDVSORLW ..................................................................................................... 241

Captulo VIII Metasploit en dispositivos mviles .......................................................................................243

1. Introduccin ................................................................................................................................................................... 243
,QVWDODFLyQGH0HWDVSORLWHQGLVSRVLWLYRVL26 ............................................................................................................... 244
Requisitos previos e instalacin ................................................................................................................................. 244
,QVWDODFLyQGHOPyGXOR6(76RFLDO(QJLQHHULQJ7RRONLWHQL26 ............................................................................. 246
,QVWDODU)DVW7UDFNHQL26 .......................................................................................................................................... 247
$WDTXHVHQGLVSRVLWLYRVL26 .......................................................................................................................................... 247
$WDFDUHOWHUPLQDOFRQXQH[SORLWUHPRWR(OFDVRGHL26 ......................................................................................... 247
$WDFDUODVFRPXQLFDFLRQHV:L)LGHGLVSRVLWLYRVL26 ................................................................................................ 252
$WDFDUODVFRPXQLFDFLRQHV931GHL26 .................................................................................................................... 255
$WDFDUODVFRPXQLFDFLRQHV%OXH7RRWKGHXQL26....................................................................................................... 255
$WDFDUODVFRPXQLFDFLRQHV*R*356GHL26 ......................................................................................................... 256
$WDTXHVPDQLQWKHPLGGOHHQL26 ............................................................................................................................ 257
$WDTXHVGH-XLFH-DFNLQJDL26 .................................................................................................................................. 258
3RVW([SORWDFLyQ$WDTXHDOEDFNXSGHXQWHUPLQDOL26 ........................................................................................... 259
4. Conclusiones .................................................................................................................................................................. 262

ndice alfabtico .............................................................................................................................................263

ndice de imgenes .........................................................................................................................................265
ndice de tablas...............................................................................................................................................272
Libros publicados ...........................................................................................................................................273
JJJ