0x5: Messing With Metasploit

Get Set For Contacts

In the previous post we talked about Nmap and briefly demonstrated vulnerability identification with it. Now using the information we gathered, let’s discuss and demonstrate using the Metasploit framework to exploit the vulnerability we found and gain an initial foothold on the target system.

meta
msfconsole duality: muttering “I’m in” under your breath vs flipping your desk over the umpteenth exploit failure

We’re not going to touch on the specifics of the exploit we discovered in the previous article, rather we’re going to generally discuss msfconsole and what it is, who made it, some basic usage of it and the basic methodology of configuring and executing an exploit against a remote target with it.

This guide assumes you already have the Metasploit Framework installed and configured on your Linux system, or are working from the Kali Linux environment (which comes with Metasploit preinstalled) with root privileges.

What Is Metasploit?

The Metasploit framework (MSF) is a powerful open source tool, which provides a framework for security researches to develop and deploy exploits, payloads, payload encoders and auxiliary scanners against a remote target. Initially a database of exploits and their code, the framework has grown considerably to have an extensive range of capabilities for the execution of exploits, reconnaissance and post exploitation activities.

MSF can be used to test the vulnerability of a computer system, or used to directly break into it. Because of this, not unlike a wide variety of security tools, MSF can be used for legitimate and illegitimate purposes. It should be noted that possessing or using MSF is legal, however some of the activities it enables are most definitely illegal. Beyond being very wary of how and when you use it, be sure to never mount an attack with MSF against a box that isn’t your own or one you don’t have permission to attack.

There are two interfaces for MSF: msfconsole (an interactive shell) and msfweb (a web based interface). In this article we are going to focus on the more powerful and most used of the two, msfconsole.

Who Made MSF?

MSF is the well known sub project of the Metasploit Project, which is maintained by the security and research company Rapid7. Originally developed in 2003 by H.D Moore in Perl as a portable network tool, the project was rewritten in Ruby in 2007 and acquired by Rapid7 in 2009.

Since it’s acquisition by Rapid7, there are now several versions of the framework including free and commercial offerings: Metasploit Framework Edition, Metasploit Community Edition, Metasploit Express and Metasploit Pro.

As MSF is an open source project, much like Nmap it has a huge community of developers and enthusiasts who contribute to it’s ongoing development.  These contributions are reviewed and added to the framework by Rapid7 employees or senior external contributors.

Despite commercial competition, MSF is considered the de facto industry standard tool for exploit development and deployment. Today it is common practice for a zero day report to include a msfconsole module.

Basic Usage

Let’s discuss some of the basic commands we use in msfconsole. But first, let’s initialize the MSF database and start the msfconsole interface by issuing the following:

msfdb init

msfconsole

msfstart

If you aren’t using a fresh MSF install and are following along in a Kali environment, it is highly likely that the database has already been initialized — running the first command (‘msfdb init’) may not be necessary — but it won’t hurt. Once it has started, we can access the help page by simply issuing ‘help’ or ‘?’:

help

msfhelp

This page contains every single command you will need to use and configure msfconsole for attack. The commands you will most likely use the most is ‘search’, ‘show options’, ‘set’, ‘sessions, ‘use’ and ‘exploit’ (or ‘run’).

Lasers Set To Kill

Now we know what MSF is, who made it and how it generally works, let’s start configuring an exploit for execution. For the purpose of this demonstration, again we will be using Blue on TryHackMe box so we can use the same information we gathered in the previous article.

The basic methodology of attacking with MSF is fairly simple: identify a vulnerability on a target, pick an appropriate exploit, aim msfconsole at it, choose a payload and open fire. In this demonstration we can skip the payload as we won’t don’t need to set one for this particular exploit, as one is automatically generated by the exploit itself.

Let’s do some research on the vulnerability our target possesses. We previously determined that the target is vulnerable to MS17-010 (or CVE-2017-0143); a well documented exploit found on many hosts running unpatched, legacy versions of Windows. To better understand the vulnerability and how to exploit it, use Google and the following databases:

Now let’s find an appropriate exploit for it in msfconsole by issuing:

search ms17-010

msfsearch

MSF found two auxiliary modules and four exploit modules related to MS17-010. To use any of the search results, simply issue ‘use’ + the number of the entry. For example, if we wanted to use the ‘auxiliary/scanner/smb/smb_ms17_010’ module, we would issue:

use 1

The module we actually want to use is number three, so issue the following:

use 3

selectexploit

You will notice that the msfconsole command line now includes the path of the module we selected for use. Now we have the module selected, we can configure it. This process is pretty much exactly the same for all modules on MSF: search and find the module you want to use, select it, and then configure it. To see what configurations need to be made before we can use the module, we need to issue:

show options

showoptions

This will show a list of the current selected module options. To set any option or parameter, we use the ‘set’ command proceeding the parameter name we are setting and then it’s value. These options and parameters will be different for every module, but usually ‘RHOSTS’ (remote hosts) and ‘RPORT’ (remote port) will be present. By setting these parameters to those of the target, we have successfully lined up and are aiming msfconsole at our target:

set RHOSTS <targetIP>

setrhosts

For the module we selected, as you can see from the options page, only ‘RHOSTS’ is a required option. Once all the required options are set on a module, msfconsole is ready to use that module. Now if we were to execute the command by issuing either ‘run’ or ‘exploit’, msfconsole would execute the exploit and present you with a shell on the target machine.

imin

What a glorious sight, a C prompt on a Linux terminal! Just like that, we have successfully exploited the MS17-010 vulnerability and have gained a foothold on our target. We will discuss this exploit further in the next article (which will be the complete write-up of Blue room).

To exit the exploited shell, all we need to do is use Ctrl + Z and enter Y when prompted to return to the msfconsole.

Final Thoughts

  • The Metasploit Framework is a powerful tool that allows an attacker to rapidly deploy and exploit a target with relative ease
  • We have successfully demonstrated how to search for, select, configure and execute various modules
  • The msfconsole banner always looked awesome in my opinion
  • Punching the air and exclaiming “I’m in!” is a universal and often involuntary reaction to an exploit executing successfully
  • MSF should receive the title of ‘Kalashnikov’ of security tools

One thought on “0x5: Messing With Metasploit

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s