Metasploit

Metasploit

This section will be dedicated to training you on Metasploit. Metasploit is THE most popular hacking framework in the world and it is FREE. Although it does have its shortcomings, every aspiring hacker should understand how to use Metasploit.

Below, I have begun with some Metasploit Basics and more will be coming soon.

Metasploit, The Basics

I. Introduction

Metasploit is the world’s leading exploitation framework. Originally developed by HD Moore as an open source project, it is now owned by the security company, Rapid7, which also owns the vulnerability scanner, Nexpose. Although originally developed as an open source project, Rapid7 has now developed a Pro version of Metasploit with a few more “bells and whistles”. Fortunately, the open source, community edition is still available to the rest of us without tens of thousands of dollars to spend on the Pro version (if you are a professional pentester, the efficiency and time savings accrued in using the Pro version make it a good investment).

Metasploit has multiple interfaces including;

(1) msfconsole an interactive command line like interface

(2) msfcli a literal Linux command line interface

(3) Armitage a GUI based third party application

(4) msfweb browser based interface

Undoubtedly, the most common way to use Metasploit is through Metasploit’s own interactive shell, msfconsole. In this course, we will be largely using this msfconsole, but I will show you how to use the others in a later tutorial.

In recent years, Metasploit has integrated additional tools to make it more than just a exploitation framework. Tools, such as nmap and Nexpose, are now integrated into Metasploit, so that the entire process of port scanning and vulnerability scanning can all be done from one single tool. In addition, Metasploit has now integrated a postgresql database to store the data collected from your scans and exploits.

II. Getting Started

Before we start Metasploit, we should start the postgresql database. Metasploit will work without postgresql, but this database enables Metasploit to run faster searches and store the information you collect while scanning and exploiting. Start the postgresql database by typing;

kali > service postgresql start

Once the database has been started, you can type to start the Metasploit Framework console;

kali >msfconsole

As Metasploit loads everything into RAM, it takes awhile, so be patient. Eventually, you should get a screen that looks like this.

Don’t worry if it doesn’t look exactly the same as my screen as Metasploit rotates the images. As long as you have the msf > prompt, you are in the right place.

This starts the Metasploit console. If you are more GUI oriented, you can go

Applications–>Kali Linux–>Exploitation Tools–> Metasploit–>metasploit community/pro

Make certain you choose the community edition. You can get the Pro edition, but it is free trial that expires quickly.

III. Metasploit Keywords

Although Metasploit is a very powerful exploitation framework, just a few keywords can get you started to hacking just about any system. A word about terminology though before we start. In Metasploit terminology, an exploit is a module that takes advantage of a system or application vulnerability. It usually will attempt to place a payload on the system. This payload can be a simple command shell or the all powerful Meterpreter. In other environments these payloads might be termed listeners or rootkits.

Let’s take a look at some of those keywords.

msf > help

Note that we can access this help menu with the “?” as well as “help”.

msf > use

The “use” command loads a module. So,for instance, if I wanted to load the exploit/windows/browser/adobe_flash_avm2 module, I would type;

As you can see, when Metasploit successfully loads the module, it responds with the type of module (exploit) and the abbreviated module name in red.

msf> show

After you load a module, the show command can be very useful to gather more information on the module. The three I use most often are show options, show payloads and show targets.

msf > show payloads

This command, when used after selecting your exploit, will show you all the payloads that will work with this exploit. If you run this command before selecting an exploit, it will show you ALL payloads.

As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.

msf > show options

This command is also very useful in running an exploit. It will display all of the options that need to set before running the module.

msf > show targets

A less commonly used command is show targets. Each exploit has a list of the targets it will work against. By using the “show targets” command, we can get a list of them.

msf > info

The info command is simple. When you type it after you have selected a module, it shows you key info about the module including the options that need to be set. I usually always run it after selecting my exploit.

msf > search

As a newcomer to Metasploit, the “search” command might be the most useful. When Metasploit was small and new, it was relatively easy to find the module you needed. Now with nearly 3000 modules, finding just the right module can be time-consuming and problematic. Rapid7 added the search function starting with version 4 and it has become a time and life saver.

Although you can use the search function to search for keywords, that approach is not always efficient. The primary methods by which you will search Metasploit are;

platform – the is the operating system that the module is built for

type – this is the type of module. These include exploits, nops, payloads, post and auxiliary

name – if you know the name of the module you can search by its name

The syntax for using search is the keyword followed by a colon such as type:exploits

For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash we could type;

msf > search type:exploits platform:windows flash

msf > set

This command is use to set options within the module you selected. For instance, if we look above at the show options command, we can see numerous options that must set such as URIPATH, SVRHOST and SVRPORT. We can set any of these with the set command such as;

msf > set SRVPORT 80

msf > unset

This command, as you might expect, unsets the option that was previously set. Such as;

msf > unset SRVPORT

As you can see, we first set the SRVPORT variable to 80 and then unset it. It then reverted back to the default value of 8080 that we can see when we typed show options again.

msf > exploit

Once we have loaded our exploit and set all the necessary options, the final thing we do is “exploit”. This sends the exploit to the target system and if successful, installs the payload.

As you can see in this screenshot, the exploit starts and is running as background job with a reverse handler on port 4444. It then started a webserver on host 0.0.0.0 on port 8080 with a randomized URL (SLoJ05mneYHz5). We could have chosen a specific URL and set it.

msf > back

We can use the back command to take us “back” one step in our process. So, if you instance, we decided that we did not want to use the adobe/flash/avm2 exploit, we could type “back” and it would remove the loaded exploit.

msf > exit

The exit command, as you would expect, exits us from the msfconsole and back into the BASH command shell.

Notice that in this case, it stops the webserver that we created in this exploit and returned us to the Kali command prompt in the BASH shell.

Although this is less than an exhaustive list of Metasploit commands, with just these commands you should be able to execute nearly 100% of the functions in Metasploit. When you need another command in this course, I will take a few minutes to introduce it, but these are all you will likely need.

In many exploits, you will see the following options (variables).

RHOST – this is the remote host or target IP

LHOST – this is the local host or attacker IP

RPORT – this is the remote port or target port

LPORT – this is the local port or attacker port

IV. Payloads

Metasploit has numerous payloads that we can use to leave behind on the target system and maintain access. There are 335 payloads and the number is changing constantly as new payloads are developed.

Among these 335 payloads in Metasploit, there are 8 types of payloads.

Inline

These payloads are a single package of exploit and payload. They are inherently more stable, but because of their size, they can’t always be used in small vulnerable memory areas.

Staged

These payloads essentially are able to fit into very small spaces and create a foothold on the system and then pull rest of the payload.

Meterpreter

Is the all powerful payload that we most often want on a victim system. It works by .dll injection and resides entirely in memory, leaving no trace of its existence on the hard drive or file system. It has a number of specific commands and scripts developed for it, enabling us to largely work our will on the victim system.

PassiveX

This payload is for use when firewall rules restrict outbound traffic. In essence, it uses ActiveX through Internet Explorer to hide its outbound traffic and evade the firewall by using HTTP requests and responds just as any browser would.

NoNX

In some CPUs, there is a built-in security feature called DEP (Data Execution Prevention). In Windows, it is referred to as No eXecute, or NX. The idea behind this security feature is to keep from data making its way to the CPU and being executed. The NoNX payloads are designed to evade this safety feature of modern CPU’s.

Ord

These type of payloads work on nearly all Windows operating systems. These are extremely small, but somewhat unstable. They are dependent upon loading a .dll (dynamic link library) into the exploited process.

IPv6

These payloads, as their implies, are designed to work on IPv6 networks.

Reflective DLL Injection

These payload modules are injected directly into the target process while it is running in memory, thereby never writing anything to the hard drive and leaving little or no evidence behind.