Chapter 5: Vulnerability Hunting with Metasploit

In the last chapter, you learned various techniques of information gathering and enumeration. Now that we have gathered information about our target system, it's time to check whether the target system is vulnerable and whether we can exploit it in reality. In this chapter, we will cover the following topics:

• Managing the database
• Vulnerability detection with Metasploit auxiliaries
• Auto-exploitation with db_autopwn
• Exploring post-exploitation
• Introduction to msf utilities

Technical requirements

The following software are required:

• Kali Linux
• The Metasploit Framework
• NMAP
• Nessus
• Metasploitable 2

Managing the database

As we have seen so far, the Metasploit Framework is a tightly coupled collection of various tools, utilities, and scripts that can be used to perform complex penetration testing tasks. While performing such tasks, a lot of data is generated in some form or the other. From a framework perspective, it is essential to store all data safely so that it can be reused efficiently whenever required. By default, the Metasploit Framework uses a PostgreSQL database at the backend to store and retrieve all the required information.

We will now look at how to interact with the database to perform some trivial tasks and ensure that the database is correctly set up before we begin with the penetration testing activities.

For the initial setup, we will use the following command:

root@kali :~# service postgresql start

This command will initiate the PostgreSQL database service on Kali Linux. This is necessary before we start with the msfconsole command:

root@kali :~# msfdbinit

This command will initiate the Metasploit Framework database instance and is a one-time activity:

Figure 5.1 – PostgreSQL service initialization

db_status: Once we have started the PostgreSQL service and initiated msfdb, we can then get started with msfconsole:

msf>db_status

The db_status command will tell us whether the backend database has been successfully initialized and connected with msfconsole.

We'll now move on to managing workspaces within Metasploit.

Managing workspaces

Let's assume you are working on multiple penetration testing assignments for various clients simultaneously. You certainly don't want the data from different clients to mix together. The ideal solution would be to make logical compartments to store data for each assignment. Workspaces in the Metasploit Framework help us achieve this goal.

The following table shows some of the common commands related to managing workspaces:

The following screenshot shows the usage of the workspace commands with various switches:

Figure 5.2 – Workspace management in Metasploit Framework

We'll now move on to importing scans into the Metasploit framework.

Importing scans

We already know how versatile the Metasploit Framework is and how well it integrates with other tools. The Metasploit Framework offers a very useful feature to import scan results from other tools such as NMAP and Nessus:

• The db_import command, as in the following screenshot, can be used to import scans into the Metasploit Framework:

Figure 5.3 – Use of 'db_import' command in msfconsole

• The hosts command: It's quite possible that we have performed the NMAP scan for the entire subnet and imported the scan into the Metasploit Framework database. Now, we need to check which hosts were found alive during the scan.
• The hosts command, as in the following screenshot, lists all the hosts found during scans and imports:

Figure 5.4 – Use of 'hosts' command in msfconsole

• The services command: Once the NMAP scan results are imported into the database, we can query the database to filter out services that we might be interested in exploiting.

  The services command, with appropriate parameters, as in the following screenshot, queries the database and filters out services:

Figure 5.5 – Use of 'services' command in msfconsole

We'll now move on to backing up the Metasploit database.

Backing up the database

Imagine you have worked for long hours on a complex penetration testing assignment using the Metasploit Framework. Now, for some unfortunate reason, your Metasploit instance crashes and fails to start. It would be very painful to rework from scratch on a new Metasploit instance! This is where the backup option in the Metasploit Framework comes to the rescue.

The db_export command, as in the following screenshot, exports all data within the database to an external XML file.

You can then keep the exported XML file safe in case you need to restore the data later, after a failure:

Figure 5.6 – Backing up 'msfdb'

We'll now move on to using NMAP within Metasploit.

NMAP

Network Mapper (NMAP) is an extremely advanced tool that can be used for the following purposes:

• Host discovery service
• Detecting the version
• Enumeration
• Vulnerability scanning
• Firewall testing and evasion

NMAP is a tool with hundreds of parameters to configure and covering it completely is beyond the scope of this book. However, the following table will help you to know some of the most commonly required NMAP switches:

For example, consider the following command: nmap-sT-sV-O192.168.44.129-oX/root/Desktop/scan.xml.

The preceding command will perform a connect scan on the IP address 192.168.44.129, detect the version of all the services, identify which operating system the target is running on, and save the result to an XML file at the path /root/Desktop/scan.xml.

Let's move on with the NMAP scanning approach.

NMAP scanning approach

We have seen in the previous section that the Metasploit Framework offers a functionality to import scans from tools such as NMAP and Nessus. However, there is also an option to initiate the NMAP scan from within the Metasploit Framework. This will instantly store the scan results in the backend database. However, there isn't much difference between the two approaches and it is just a matter of personal choice.

Scanning from msfconsole: The db_nmapcommand, as in the following screenshot, initiates an NMAP scan from within the Metasploit Framework. Once the scan is complete, you can simply use the hosts command to list the target scanned:

Figure 5.7 – Running 'nmap' from msfconsole

We'll now move on to discussing the Nessus tool.

Nessus

Nessus is a popular vulnerability assessment tool, which we have already seen in Chapter 1, Introduction to Metasploit and Supporting Tools.

Now, there are two alternatives to using Nessus with Metasploit, as follows:

1. Perform a Nessus scan on the target system, save the report, and then import it into the Metasploit Framework using the db_import command, as discussed earlier in this chapter.
2. Load, initiate, and trigger a Nessus scan on the target system directly through msfconsole, as described in the next section.

We'll now see how Nessus scans can be triggered from within msfconsole.

Scanning using Nessus from within msfconsole

Before we start a new scan using Nessus, it is important to load the Nessus plugin in mfsconsole.

This can be done using the load nessus command, as in the following screenshot.

Before loading Nessus in msfconsole, make sure that you start the Nessus daemon using the /etc/init.d/nessusd start command.

Once the plugin is loaded, you can connect to your Nessus instance using a pair of credentials, as in the following screenshot:

Figure 5.8 – Loading the 'nessus' plugin

Once the Nessus plugin is loaded and we are connected to the Nessus service, we need to select which policy we will use to scan our target system.

This can be performed using the following commands:

• msf>nessus_policy_list
• msf>nessus_scan_new<Policy_UUID>
• msf>nessus_scan_launch<Scan ID>

Nessus policies can be listed as in the following screenshot:

Figure 5.9 – Listing the nessus policies

After some time, the scan is completed, and we can view the scan results using the following command:

• msf>nessus_report_vulns<Scan ID>

Figure 5.10 – Listing nessus reports

We'll now move on to vulnerability detection using Metasploit's auxiliary modules.

Vulnerability detection with Metasploit auxiliaries

We saw various auxiliary modules in the last chapter. Some of the auxiliary modules in the Metasploit Framework can also be used to detect specific vulnerabilities.

For example, the following screenshot shows the auxiliary module that checks whether the target system is vulnerable to the MS12-020 RDP vulnerability:

Figure 5.11 – Use of 'ms12_020_check' auxiliary module

Moving on, we'll now see how the db_autopwn plugin can be used for auto-exploitation.

Auto-exploitation with db_autopwn

In the previous section, we saw how the Metasploit Framework helps us import scans from various other tools such as NMAP and Nessus. Now, once we have imported the scan results into the database, the next logical step would be to find exploits matching the vulnerabilities /ports from the imported scan. We can certainly do this manually, for instance, if our target is Windows XP and it has TCP port 445 open, then we can try out the MS08_67netapi vulnerability against it.

The Metasploit Framework offers a script called db_autopwn, which automates the exploit matching process, executes the appropriate exploit if a match is found, and gives us a remote shell. However, before you try this script, a few of the following things need to be considered.

The db_autopwn script is officially depreciated from the Metasploit Framework. You would need to explicitly download and add it to your Metasploit instance. This is a very resource-intensive script since it tries all permutations and combinations of vulnerabilities against the target, thus making it very noisy.

This script is not recommended anymore for professional use against any production system. However, from a learning perspective, you can run it against any of the test machines in the lab.

The following are the steps to get started with the db_autopwn script:

1. Open a Terminal window and run the following command:

   wget https://raw.githubusercontent.com/jeffbryner/kinectasploit/master/db_autopwn.rb.

2. Copy the downloaded file to /usr/share/metasploit-framework/pluginsdirectory.
3. Restart msfconsole.
4. In msfconsole, type the following code:

   msf> use db_autopwn

5. List the matched exploits using the following command:

   msf>db_autopwn -p -t

6. Exploit the matched exploits using the following command:

   msf>db_autopwn -p -t –e

We'll now move on to the post-exploitation abilities of Metasploit.

Exploring post exploitation

Post exploitation is a phase in penetration testing where we have got limited (or full) access to our target system and now want to search for certain files or folders, dump user credentials, capture screenshots remotely, dump out the keystrokes from the remote system, escalate the privileges (if required), and try to make our access persistent.

In this section, we'll learn about Meterpreter, which is an advanced payload known for its feature-rich post-exploitation capabilities.

What is Meterpreter?

Meterpreter is an advanced extensible payload that uses an in-memory DLL injection. It significantly increases the post-exploitation capabilities of the Metasploit Framework. By communicating over the stager socket, it provides an extensive client-side Ruby API.

Some of the notable features of Meterpreter are as follows:

• Stealthy: Meterpreter completely resides in the memory of the compromised system and writes nothing to the disk. It doesn't spawn any new processes; it injects itself into the compromised process. It has the ability to migrate to other running processes easily. By default, Meterpreter communicates over an encrypted channel. This leaves a limited trace on the compromised system from a forensic perspective.
• Extensible: Features can be added at runtime and are directly loaded over the network. New features can be added to Meterpreter without having to rebuild it. The Meterpreter payload runs seamlessly and very fast.

Before we use the exploit, we need to configure the Meterpreter payload by issuing the usepayload/windows/meterpreter/reverse_tcp command and then setting the value of the LHOST variable.

The following screenshot shows a Meterpreter session, which we obtained by exploiting the ms08_067_netapi vulnerability on our Windows XP target system:

Figure 5.12 – Use of 'ms08_67_netapi' exploit

We'll now move on to searching for given content using Meterpreter.

Searching for content

Once we have compromised our target system, we might want to look out for specific files and folders. It all depends on the context and intention of the penetration test. Meterpreter offers a search option to look for files and folders on the compromised system.

The following screenshot shows a search query looking for confidential text files located on a C drive:

Figure 5.13 – Use of 'search' command in msfconsole

We'll now move on to using Meterpreter for screen capture.

Screen capture

Upon a successful compromise, we might want to know what activities and tasks are running on the compromised system. Taking a screenshot may give us some interesting information on what our victim is doing at that particular moment.

In order to capture a screenshot of the compromised system remotely, we perform the following steps:

1. Use the ps command to list all processes running on the target system along with their process ID (PIDs).
2. Locate the explorer.exe process and note down its PID.
3. Migrate Meterpreter to the explorer.exe process, as in the following screenshot:
   

   Figure 5.14 – Migrating meterpreter to 'explorer.exe'

4. Once we have migrated Meterpreter to explorer.exe, we load the espia plugin and then fire the screengrab command, as shown in the following screenshot:
   

   Figure 5.14A – Loading the espia plugin

5. The screenshot of our compromised system is saved as follows, and we can see that the victim was interacting with the FileZilla server:

Figure 5.15 – Screenshot of the target system

We'll now move on to using Meterpreter for keystroke logging.

Keystroke logging

Apart from capturing a screenshot, another very useful Meterpreter feature is keystroke logging. The Meterpreter keystroke sniffer will capture all the keys pressed on the compromised system and dump the results out onto our console.

The keyscan_start command is used to initiate remote keylogging on the compromised system, while the keyscan_dump command is used to dump out all the captured keystrokes to the Metasploit console, as in the following screenshot:

Figure 5.16 – Keylogging using 'keyscan_start'

We'll now move on to dumping the hashes using the John the Ripper (JTR) tool.

Dumping the hashes and cracking with JTR

Windows stores user credentials in an encrypted format in its SAM database. Once we have compromised our target system, we want to get hold of all the credentials on that system.

The following screenshot shows how we can use the post/windows/gather/hashdump auxiliary module to dump the password hashes from the remote compromised system:

Figure 5.17 – Use of 'hashdump' auxiliary module

Once we have a dump of credentials, the next step is to crack them and retrieve cleartext passwords. The Metasploit Framework has an auxiliary module, auxiliary/analyze/jtr_crack_fast, which triggers the password cracker against the dumped hashes. Upon completion, the module displays cleartext passwords, as in the following screenshot:

Figure 5.18 – Running JTR from msfconsole

We'll now move on to the shell command within Meterpreter.

Shell command

Once we have successfully exploited the vulnerability and obtained Meterpreter access, we can use the shell command to get Command Prompt access to the compromised system. The Command Prompt access will make you feel as if you are physically working on the target system.

We will now move on to privilege escalation with Metasploit.

Privilege escalation

We can exploit a vulnerability and get remote Meterpreter access, but it's quite possible that we may have limited privileges on the compromised system. In order to ensure we have full access and control over our compromised system, we need to elevate privileges to that of an administrator. Meterpreter offers functionality to escalate privileges, as in the following screenshot. First, we load an extension called priv, and then use the getsystem command to escalate the privileges.

We can then verify our privilege level using the getuid command:

Figure 5.19 – Privilege escalation using 'priv' command

Now, we will move on to the introduction of the msf utilities.

Introduction to msf utilities

The Metasploit Framework comes with a couple of useful tools in addition to the usual exploits and payloads that we have seen so far. These tools can be run outside of the Metasploit Framework. Currently, the Metasploit Framework has tools in various categories, as in the following screenshot.

Simply open up the terminal and browse to the path /usr/share/metasploit-framework/tools.

As seen in the following screenshot, currently the msf utilities are categorized in nine categories:

Figure 5.20 – 'msfutilities' categories

We'll now learn about these utilities, starting with: msf-exe2vbs.

msf-exe2vbs

The payloads generated in .exe format usually get detected easily by antivirus programs. The msf-exe2vbs utility allows us to convert an executable payload into VBScript format. To use this utility, simply open up the terminal and type msf-exe2vbs. This utility requires two arguments to execute: the path to the .exe file that we wish to convert, and the path where we wish to store the .vbs file.

The following screenshot shows the utility converting setup.exe to setup.vbs:

Figure 5.21 – Use of 'msf-exe2vbs' utility

We'll now learn about the next utility: msf-exe2vba.

msf-exe2vba

The payloads generated in the .exe format are usually easily detected by antivirus programs. The msf-exe2vba utility allows us to convert an executable payload into VBA format. The VBA can even be embedded into Excel spreadsheets. To use this utility, simply open up the terminal and type msf-exe2vba. This utility requires two arguments in order to execute: the path to the .exe file that we wish to convert, and the path where we wish to store the .vba file.

The following screenshot shows the utility converting setup.exe to setup.vba:

Figure 5.22 – Use of 'msf-exe2vba' utility

We'll now learn about the next utility: msf-pdf2xdp.

msf-pdf2xdp

The Metasploit Framework is capable of generating payloads in PDF format. However, at times, the PDF file gets flagged by the security software. It is possible to encode the malicious PDF in XDP format in order to evade the antivirus and other security software. The msf-pdf2xdp utility allows us to convert a PDF file into XDP file format. To use this utility, simply open up the terminal and type msf-pdf2xdp. This utility requires two arguments in order to execute: the path to the .pdf file that we wish to convert and the path where we wish to store the .xdp file.

The following figure shows the utility converting sample.pdf to sample.xdp:

Figure 5.23 – Use of 'msf-pdf2xdp' utility

We'll now learn about the next utility: msf-msf_irb.

msf-msf_irb

The Metasploit Framework has a built-in Ruby shell that can be used for post-exploitation capabilities. However, it can be invoked separately as well using the command msf-msf_irb_shell, as in the following screenshot:

Figure 5.24 – Use of msf irb shell

Once invoked, you can fire any Ruby command and interact with the Ruby shell.

msf-pattern_create

There are certain situations specifically related to exploit development, where you are required to provide a specific pattern of characters as input. The msf-pattern_create utility helps generate a pattern of any given length and character combination.

As seen in the following screenshot, we generated a pattern with a length of 25, containing the characters s and r:

Figure 5.25 – Use of 'msf-pattern_create' utility

We'll now learn about the next utility: msf-virustotal.

msf-virustotal

VirusTotal is an online portal that accepts file samples as input and provides analysis on how many different antivirus engines were able to detect the file sample for the presence of malware. It is a very helpful and easy-to-use site. However, the Metasploit Framework provides a utility, msf-virustotal, which can be used to submit the file sample for analysis directly from the terminal without visiting the portal.

You can simply open up the terminal and type in msf-virustotal –h to get help with using the utility, as in the following screenshot:

Figure 5.26 – Use of 'msf-virustotal' utility

Using the msf-virustotal –f <filename> command, as in the following screenshot, we can submit a file sample for analysis and instantly get the results:

Figure 5.27 – Use of 'msf-virustotal' utility

We'll now msf-virustotallearn about the next utility: msf-makeiplist.

msf-makeiplist

While performing penetration testing or scanning on larger networks, you will often be required to deal with IP ranges and subnets. There are several tools, such as NMAP and Metasploit, that take the IP range as input and then perform the scan, while some tools take individual IPs as an input. The msf-makeiplist utility takes an IP range as input and converts it into a list of individual IPs from that range.

To start with, just open up the terminal and type in msf-makeiplist –h, as in the following screenshot:

Figure 5.28 – Use of 'msf-makeiplist' utility

This utility takes two arguments: the input file that has the IP range, and the output file where we wish to save the list of individual IPs.

Let's consider a file that has an IP range as in the following screenshot:

Figure 5.29 – Input for 'msf-makeiplist' utility

Now, let's run the utility using the msf-makeiplist –i<filename> -o <filename> command, as in the following figure:

Figure 5.30 – Use of 'msf-makeiplist' utility

As seen in the preceding figure, the utility quickly converted the IP range of 192.168.100.0-50 to individual IPs.

Summary

We started this chapter with learning how to set up and manage the Metasploit Database. We then learned about triggering NMAP and Nessus scans from within the Metasploit console. We then saw vulnerability detection using various Metasploit auxiliary modules and auto-exploitation with db_autopwn. We also saw the advanced post-exploitation features of the Metasploit Framework using meterpreter and then concluded with an introduction to several useful msf utilities.

In the next chapter, we'll learn about the interesting client-side exploitation features of the Metasploit Framework.

Exercises

• Perform NMAP and Nessus scans on Metasploitable 2.
• Try using db_autopwn on Metasploitable 2.
• Explore various Meterpreter capabilities.

Further reading

More information on Meterpreter can be found at https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/.