In the last chapter, you learned various techniques of information gathering and enumeration. Now that we have gathered information about our target system, it's time to check whether the target system is vulnerable and whether we can exploit it in reality. In this chapter, we will cover the following topics:
The following software are required:
As we have seen so far, the Metasploit Framework is a tightly coupled collection of various tools, utilities, and scripts that can be used to perform complex penetration testing tasks. While performing such tasks, a lot of data is generated in some form or the other. From a framework perspective, it is essential to store all data safely so that it can be reused efficiently whenever required. By default, the Metasploit Framework uses a PostgreSQL database at the backend to store and retrieve all the required information.
We will now look at how to interact with the database to perform some trivial tasks and ensure that the database is correctly set up before we begin with the penetration testing activities.
For the initial setup, we will use the following command:
root@kali :~# service postgresql start
This command will initiate the PostgreSQL database service on Kali Linux. This is necessary before we start with the msfconsole command:
root@kali :~# msfdbinit
This command will initiate the Metasploit Framework database instance and is a one-time activity:
db_status: Once we have started the PostgreSQL service and initiated msfdb, we can then get started with msfconsole:
msf>db_status
The db_status command will tell us whether the backend database has been successfully initialized and connected with msfconsole.
We'll now move on to managing workspaces within Metasploit.
Let's assume you are working on multiple penetration testing assignments for various clients simultaneously. You certainly don't want the data from different clients to mix together. The ideal solution would be to make logical compartments to store data for each assignment. Workspaces in the Metasploit Framework help us achieve this goal.
The following table shows some of the common commands related to managing workspaces:
The following screenshot shows the usage of the workspace commands with various switches:
We'll now move on to importing scans into the Metasploit framework.
We already know how versatile the Metasploit Framework is and how well it integrates with other tools. The Metasploit Framework offers a very useful feature to import scan results from other tools such as NMAP and Nessus:
The services command, with appropriate parameters, as in the following screenshot, queries the database and filters out services:
We'll now move on to backing up the Metasploit database.
Imagine you have worked for long hours on a complex penetration testing assignment using the Metasploit Framework. Now, for some unfortunate reason, your Metasploit instance crashes and fails to start. It would be very painful to rework from scratch on a new Metasploit instance! This is where the backup option in the Metasploit Framework comes to the rescue.
The db_export command, as in the following screenshot, exports all data within the database to an external XML file.
You can then keep the exported XML file safe in case you need to restore the data later, after a failure:
We'll now move on to using NMAP within Metasploit.
Network Mapper (NMAP) is an extremely advanced tool that can be used for the following purposes:
NMAP is a tool with hundreds of parameters to configure and covering it completely is beyond the scope of this book. However, the following table will help you to know some of the most commonly required NMAP switches:
For example, consider the following command: nmap-sT-sV-O192.168.44.129-oX/root/Desktop/scan.xml.
The preceding command will perform a connect scan on the IP address 192.168.44.129, detect the version of all the services, identify which operating system the target is running on, and save the result to an XML file at the path /root/Desktop/scan.xml.
Let's move on with the NMAP scanning approach.
We have seen in the previous section that the Metasploit Framework offers a functionality to import scans from tools such as NMAP and Nessus. However, there is also an option to initiate the NMAP scan from within the Metasploit Framework. This will instantly store the scan results in the backend database. However, there isn't much difference between the two approaches and it is just a matter of personal choice.
Scanning from msfconsole: The db_nmapcommand, as in the following screenshot, initiates an NMAP scan from within the Metasploit Framework. Once the scan is complete, you can simply use the hosts command to list the target scanned:
We'll now move on to discussing the Nessus tool.
Nessus is a popular vulnerability assessment tool, which we have already seen in Chapter 1, Introduction to Metasploit and Supporting Tools.
Now, there are two alternatives to using Nessus with Metasploit, as follows:
We'll now see how Nessus scans can be triggered from within msfconsole.
Before we start a new scan using Nessus, it is important to load the Nessus plugin in mfsconsole.
This can be done using the load nessus command, as in the following screenshot.
Before loading Nessus in msfconsole, make sure that you start the Nessus daemon using the /etc/init.d/nessusd start command.
Once the plugin is loaded, you can connect to your Nessus instance using a pair of credentials, as in the following screenshot:
Once the Nessus plugin is loaded and we are connected to the Nessus service, we need to select which policy we will use to scan our target system.
This can be performed using the following commands:
Nessus policies can be listed as in the following screenshot:
After some time, the scan is completed, and we can view the scan results using the following command:
We'll now move on to vulnerability detection using Metasploit's auxiliary modules.
We saw various auxiliary modules in the last chapter. Some of the auxiliary modules in the Metasploit Framework can also be used to detect specific vulnerabilities.
For example, the following screenshot shows the auxiliary module that checks whether the target system is vulnerable to the MS12-020 RDP vulnerability:
Moving on, we'll now see how the db_autopwn plugin can be used for auto-exploitation.
In the previous section, we saw how the Metasploit Framework helps us import scans from various other tools such as NMAP and Nessus. Now, once we have imported the scan results into the database, the next logical step would be to find exploits matching the vulnerabilities /ports from the imported scan. We can certainly do this manually, for instance, if our target is Windows XP and it has TCP port 445 open, then we can try out the MS08_67netapi vulnerability against it.
The Metasploit Framework offers a script called db_autopwn, which automates the exploit matching process, executes the appropriate exploit if a match is found, and gives us a remote shell. However, before you try this script, a few of the following things need to be considered.
The db_autopwn script is officially depreciated from the Metasploit Framework. You would need to explicitly download and add it to your Metasploit instance. This is a very resource-intensive script since it tries all permutations and combinations of vulnerabilities against the target, thus making it very noisy.
This script is not recommended anymore for professional use against any production system. However, from a learning perspective, you can run it against any of the test machines in the lab.
The following are the steps to get started with the db_autopwn script:
wget https://raw.githubusercontent.com/jeffbryner/kinectasploit/master/db_autopwn.rb.
msf> use db_autopwn
msf>db_autopwn -p -t
msf>db_autopwn -p -t –e
We'll now move on to the post-exploitation abilities of Metasploit.
Post exploitation is a phase in penetration testing where we have got limited (or full) access to our target system and now want to search for certain files or folders, dump user credentials, capture screenshots remotely, dump out the keystrokes from the remote system, escalate the privileges (if required), and try to make our access persistent.
In this section, we'll learn about Meterpreter, which is an advanced payload known for its feature-rich post-exploitation capabilities.
Meterpreter is an advanced extensible payload that uses an in-memory DLL injection. It significantly increases the post-exploitation capabilities of the Metasploit Framework. By communicating over the stager socket, it provides an extensive client-side Ruby API.
Some of the notable features of Meterpreter are as follows:
Before we use the exploit, we need to configure the Meterpreter payload by issuing the usepayload/windows/meterpreter/reverse_tcp command and then setting the value of the LHOST variable.
The following screenshot shows a Meterpreter session, which we obtained by exploiting the ms08_067_netapi vulnerability on our Windows XP target system:
We'll now move on to searching for given content using Meterpreter.
Once we have compromised our target system, we might want to look out for specific files and folders. It all depends on the context and intention of the penetration test. Meterpreter offers a search option to look for files and folders on the compromised system.
The following screenshot shows a search query looking for confidential text files located on a C drive:
We'll now move on to using Meterpreter for screen capture.
Upon a successful compromise, we might want to know what activities and tasks are running on the compromised system. Taking a screenshot may give us some interesting information on what our victim is doing at that particular moment.
In order to capture a screenshot of the compromised system remotely, we perform the following steps:
We'll now move on to using Meterpreter for keystroke logging.
Apart from capturing a screenshot, another very useful Meterpreter feature is keystroke logging. The Meterpreter keystroke sniffer will capture all the keys pressed on the compromised system and dump the results out onto our console.
The keyscan_start command is used to initiate remote keylogging on the compromised system, while the keyscan_dump command is used to dump out all the captured keystrokes to the Metasploit console, as in the following screenshot:
We'll now move on to dumping the hashes using the John the Ripper (JTR) tool.
Windows stores user credentials in an encrypted format in its SAM database. Once we have compromised our target system, we want to get hold of all the credentials on that system.
The following screenshot shows how we can use the post/windows/gather/hashdump auxiliary module to dump the password hashes from the remote compromised system:
Once we have a dump of credentials, the next step is to crack them and retrieve cleartext passwords. The Metasploit Framework has an auxiliary module, auxiliary/analyze/jtr_crack_fast, which triggers the password cracker against the dumped hashes. Upon completion, the module displays cleartext passwords, as in the following screenshot:
We'll now move on to the shell command within Meterpreter.
Once we have successfully exploited the vulnerability and obtained Meterpreter access, we can use the shell command to get Command Prompt access to the compromised system. The Command Prompt access will make you feel as if you are physically working on the target system.
We will now move on to privilege escalation with Metasploit.
We can exploit a vulnerability and get remote Meterpreter access, but it's quite possible that we may have limited privileges on the compromised system. In order to ensure we have full access and control over our compromised system, we need to elevate privileges to that of an administrator. Meterpreter offers functionality to escalate privileges, as in the following screenshot. First, we load an extension called priv, and then use the getsystem command to escalate the privileges.
We can then verify our privilege level using the getuid command:
Now, we will move on to the introduction of the msf utilities.
The Metasploit Framework comes with a couple of useful tools in addition to the usual exploits and payloads that we have seen so far. These tools can be run outside of the Metasploit Framework. Currently, the Metasploit Framework has tools in various categories, as in the following screenshot.
Simply open up the terminal and browse to the path /usr/share/metasploit-framework/tools.
As seen in the following screenshot, currently the msf utilities are categorized in nine categories:
We'll now learn about these utilities, starting with: msf-exe2vbs.
The payloads generated in .exe format usually get detected easily by antivirus programs. The msf-exe2vbs utility allows us to convert an executable payload into VBScript format. To use this utility, simply open up the terminal and type msf-exe2vbs. This utility requires two arguments to execute: the path to the .exe file that we wish to convert, and the path where we wish to store the .vbs file.
The following screenshot shows the utility converting setup.exe to setup.vbs:
We'll now learn about the next utility: msf-exe2vba.
The payloads generated in the .exe format are usually easily detected by antivirus programs. The msf-exe2vba utility allows us to convert an executable payload into VBA format. The VBA can even be embedded into Excel spreadsheets. To use this utility, simply open up the terminal and type msf-exe2vba. This utility requires two arguments in order to execute: the path to the .exe file that we wish to convert, and the path where we wish to store the .vba file.
The following screenshot shows the utility converting setup.exe to setup.vba:
We'll now learn about the next utility: msf-pdf2xdp.
The Metasploit Framework is capable of generating payloads in PDF format. However, at times, the PDF file gets flagged by the security software. It is possible to encode the malicious PDF in XDP format in order to evade the antivirus and other security software. The msf-pdf2xdp utility allows us to convert a PDF file into XDP file format. To use this utility, simply open up the terminal and type msf-pdf2xdp. This utility requires two arguments in order to execute: the path to the .pdf file that we wish to convert and the path where we wish to store the .xdp file.
The following figure shows the utility converting sample.pdf to sample.xdp:
We'll now learn about the next utility: msf-msf_irb.
The Metasploit Framework has a built-in Ruby shell that can be used for post-exploitation capabilities. However, it can be invoked separately as well using the command msf-msf_irb_shell, as in the following screenshot:
Once invoked, you can fire any Ruby command and interact with the Ruby shell.
There are certain situations specifically related to exploit development, where you are required to provide a specific pattern of characters as input. The msf-pattern_create utility helps generate a pattern of any given length and character combination.
As seen in the following screenshot, we generated a pattern with a length of 25, containing the characters s and r:
We'll now learn about the next utility: msf-virustotal.
VirusTotal is an online portal that accepts file samples as input and provides analysis on how many different antivirus engines were able to detect the file sample for the presence of malware. It is a very helpful and easy-to-use site. However, the Metasploit Framework provides a utility, msf-virustotal, which can be used to submit the file sample for analysis directly from the terminal without visiting the portal.
You can simply open up the terminal and type in msf-virustotal –h to get help with using the utility, as in the following screenshot:
Using the msf-virustotal –f <filename> command, as in the following screenshot, we can submit a file sample for analysis and instantly get the results:
We'll now msf-virustotallearn about the next utility: msf-makeiplist.
While performing penetration testing or scanning on larger networks, you will often be required to deal with IP ranges and subnets. There are several tools, such as NMAP and Metasploit, that take the IP range as input and then perform the scan, while some tools take individual IPs as an input. The msf-makeiplist utility takes an IP range as input and converts it into a list of individual IPs from that range.
To start with, just open up the terminal and type in msf-makeiplist –h, as in the following screenshot:
This utility takes two arguments: the input file that has the IP range, and the output file where we wish to save the list of individual IPs.
Let's consider a file that has an IP range as in the following screenshot:
Now, let's run the utility using the msf-makeiplist –i<filename> -o <filename> command, as in the following figure:
As seen in the preceding figure, the utility quickly converted the IP range of 192.168.100.0-50 to individual IPs.
We started this chapter with learning how to set up and manage the Metasploit Database. We then learned about triggering NMAP and Nessus scans from within the Metasploit console. We then saw vulnerability detection using various Metasploit auxiliary modules and auto-exploitation with db_autopwn. We also saw the advanced post-exploitation features of the Metasploit Framework using meterpreter and then concluded with an introduction to several useful msf utilities.
In the next chapter, we'll learn about the interesting client-side exploitation features of the Metasploit Framework.
More information on Meterpreter can be found at https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/.