Metasploit About the Tutorial Metasploit is one of the most powerful and widely used tools for penetration testing. In this tutorial, we will take you through the various concepts and techniques of Metasploit and explain how you can use them ina real-time environment. This tutorial is meant for instructional purpose only. Audience This tutorial is meant for beginners who would like to learn the basic-to-advanced concepts of Metasploit and how to use it in penetration testing to safeguard their systems and networks. Prerequisites Before proceeding with this tutorial, you should have a good grasp over all the fundamental concepts of a computer and how it operates in a networked environment. Copyright & Disclaimer Copyright 2016 by Tutorials Point (I) Pvt. Ltd. All the content and graphics published in this e-book are the property of Tutorials Point (I) Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish any contents or a part of contents of this e-book in any manner without written consent of the publisher. We strive to update the contents of our website and tutorials as timely and as precisely as possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt. Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our website or its contents including this tutorial. If you discover any errors on our website or in this tutorial, please notify us at contact@tutorialspoint.comMetasploit Table of Contents ‘About the Tutorial Audience .. Prerequisites... Copyright & Disclaimer.. Table of Contents 1, METASPLOTI - INTRODUCTION 2. METASPLOIT - ENVIRONMENT SETUP. Install Virtual Box.. Install Kali Linux. 3. METASPLOIT - BASIC COMMANDS 4, METASPLOIT— ARMITAGE GUL 5. METASPLOIT - PRO CONSOLE. 6. METASPLOIT - VULNERABLE TARGET. 7. METASPLOIT - DISCOVERY SCANS. 8. METASPLOIT - TASK CHAINS 9. METASPLOIT - IMPORT DATA 10. METASPLOIT - VULNERABILITY SCAI 11, METASPLOIT - VULNERABILITY VALIDATIO! 12. METASPLOIT - EXPLOIT, 13. METASPLOIT - PAYLOAD.. 14. METASPLOIT - CREDENTIAL. ™. ii15, 16. 17. 18. 19. 20. 21, Metasploit METASPLOIT - BRUTE-FORCE ATTACKS. METASPLOIT - PIVOTING METASPLOIT - MAINTAINING ACCES: METASPLOIT - METAMODULES. METASPLOIT - SOCIAL ENGINEERING. METASPLOIT - EXPORT DATA METASPLOIT - REPORTS..1. Metasploit — Introduction Metasploit is one of the most powerful tools used for penetration testing. Most of its resources can be found at: https://www.metasploit.com. It comes in two versions: commercial and free edition. There are no major differences in the two versions, so in this tutorial, we will be mostly using the Community version (free) of Metasploit. As an Ethical Hacker, you will be using “Kali Distribution” which has the Metasploit community version embedded in it along with other ethical hacking tools. But if you want to install Metasploit as a separate tool, you can easily do so on systems that run on Linux, Windows, or Mac OS X. ‘The hardware requirements to install Metasploit are: + 2GHz+ processor + 1B RAM available + 1.GB+ available disk space Matasploit can be used either with command prompt or with Web UI. ‘The recommended OS versions for Metasploit are: + Kali Linux 2.0 or Upper Versions ‘+ Backtrack 3 and Upper Versions ‘+ Red Hat Enterprise Linux Server 5.10+ + Red Hat Enterprise Linux Server 6.5+ + Red Hat Enterprise Linux Server 7.1+ + Ubuntu Linux 10.04 LTS + Ubuntu Linux 12,04 LTS + Ubuntu Linux 14.04 LTS + Windows Server 2008 R2 + Windows Server 2012 R2 + Windows 7 + Windows 8.12. Metasploit — Environment Setup We will take the following actions to set up our test environment: ‘+ We will download Virtual box and install it. ‘+ Download and install Kalli distribution. ‘+ Download and install Metasploitable which will be our hacking machine. ‘+ Download and install Windows XP which will be another hacking machine. In total, we will have 3 machines which will be logically connected in the same network, Metasploitable {Attacked Machine) (attacking Machine) my ce Windows 2003 Machine ‘Attacked Machine Install Virtual Box To download Virtual Box, go to https://www.virtualbox.ora/wiki/Downloads Select the appropriate version depending on your OS and the hardware configuration of your system.Metasploit “VirtualBox | Download VirtualBox VirtualBox binaries + Vetusnon 5.1.2 Orace Vi Vinal Extensis Stop fort. o and sts aver tne ROS a Fe boa font ced. Se his hater from the Ur Hans fe anintroct ‘arson ibe re ann rte ise ey in nas ee UE ‘you are ising Virwalbox 4.3.38, ease Gownlosd the ecenson back here uh Alsop oatforns ‘After selecting the appropriate version of Virtual Box, the following screen will appear. Click Next. H) Oracle VM VirtualBox 5.1.2 Setup Welcome to the Oracle VM VirtualBox 5.1.2 Setup Wizard The Setup Wizard wil install Orade VM VirtualBox 5.1.20n your computer. Click Next to continue or Cancel to axtt the Setup Wizard,On the next screen, set the location where you want to install the ap} Location: c:progremFies|orade)vitleox, Version 5.1.2 (Stone) Metasploit Select the way you want feetures to be nstale. Click on the cons nthe weebelow to change the way features ill be insted, rack VM Virtuldox 5.2.2 ‘Vrtualoc USB Suppert apalcaton. {Se Vetuabiox Networking Be | Vetus ridged Network Ths fecture requres 164¥B on {=| Vitualbox Host-Orty Netwer| Your hard drve, Ithas 30f3 B+ VrtuaBo« Python 2.» Support subfeatures sdected, The —I—— subfeatures requre 68246 on yo Fronse You will get a Warning message before proceeding with the installation. w Oracle VM VirtualBox 51.2 Version 5.1.2 Warning: Network Interfaces Irstaling the Oracle VM VrtuaBox 5.1.2 Networking feature wall est your network convection and terper=riy discorect you fron the network Proceed with wstalaton now?Metasploit Click Yes on the above screen which will display the following screen, Click Installl to begin the installation. BB) Credle VM VirtualBox 512 Setup Ready to Install ‘The Seup Wizard is reacy tobegh the Custom instalaton ‘lck trstall to begin he installation. IF you nant to review or charge any of you instalation setings, dick Back. Click Cance to exit the wizard Version 51.2 D> inom ‘elcome to Virauallont {febeaof eprint wal mates n yr np: helt ey eee BX ort ia kei tp of doe Now we are ready to install the rest of the hosts for this tutorial. Install Kali Linux ‘You can download Kali Linux from its official website: fnttps://www, kali ora/downloads/ SSO |B obese seaizcomiiir inane =a 8 @ FENSIME Blog Courses Certifications Onlin Labs Prebuilt KaliLinux VMware Images rebuilt Kali Linux VirtualBox Images Image Namo Torrent Size Version SHAtSum Kal Lu 64 bit Vt Torrent 2.0 2016.1. mhanbtte77ettecbsstanancadnoastonstsind Kall Lie 32 bit VM PAE Tarrant 2.06 2016.1. | 71RGTaRDITaRSSFAa7ebaIdeNO4SO7S9Metasploit Go to the official website and download prebuilt Kali Linux VirtualBox images. Next, open VirtualBox Manager and go to Machine -> New. ceo | cement nt (Sena sete: ena 48) snten eset a Ratton Meee cum over Serer Sanat pul el se os ton 25 en esa. Ee te Go to the location where Kali Linux has been downloaded and choose a virtual hard disk file, & Please choose e virtual hard cisk file x A Ds alli + Kai Linc 2016 vm- amd vie Dyers Nero * Name. Date mesitied F kelLinw-2016 rm-erd 2ARM6S0EPM Virtual Mechine Di. © Katitinus-2016.1-um-2md64-s001 2/2016 518 PM Virtual Machine Di @ Keali-Linux-20161-ven-amal6-s002 UV2IESEPM Virtual Machine Di {} Keofi-Linux-2016.1-vm-omd64- 3003 22016518 PM Virtual Machine Di %@ keatLnw-2016:1-s-emdo4-so0 2A/2016518PM Virtual Machine Di (@ Kat-Linus-2016.1-vm-amat64-s005, 2/V2016518 PM Virtual Machine Di @ Kali-Linux-2016.1-vm-amd64- 5006 2/1/2016 518 PM Virtual Machine Di § Keali-Linux-2016.1-vm-amd64- 3007 2/V20165.18 PM Virtual Mechine Di B keatinuy-2016:1-1m-emdos-s008 2A/2016515PM Virtual Machine DiMetasploit The next screen will prompt you to create a virtual machine, Click the Create button, as shown in the following screenshot. > x asians sone ype: (Lie OY essen: [Other (658) Menery 922 ee 18288 Hrd dak O bomatadda wat hard die CO createa veal hard denon © use anexsing waa hard dk le —E soone (CEST) oe Now, you can start Kali OS, Your default username will be root and your password will be toor.In this chapter, we will discuss some basic commands that are frequently used in Metasploit. First of all, open the Metasploit console in Kali. You can do so by following the path: Applications -> Exploitation Tools -> Metasploit. — anes 23 DeonMetasploit Once you open the Metasploit console, you will get to see the following screen. Highlighted in red underline is the version of Metasploit. Terminal coo File Edit View Search Terminal Help Help Command If you type the help command on the console, it will show you a list of core commands in Metasploit along with their description. MN. 10Metasploit msfupdate Command msfupdate is an important administration command, It is used to update Metasploit with the latest vulnerability exploits. After running this command, you will have to wait several minutes until the update completes. Search Command Search is a powerful command in Metasploit that you can use to find what you want to locate. For example, if you want to find exploits related to Microsoft, then the command will be: msf >search nane:Microsoft type:exploit Here, search is the command, name is the name of the object that you are looking for, and type is the kind of script you are searching, MN. atMetasploit Info Command The info command provides information regarding a module or platform, such as where it is used, who is the author, vulnerability reference, and its payload restriction, 12In this chapter, we will see how to use the Armitage GUI for Metasploit. Armitage is a complement tool for Metasploit. It visualizes targets, recommends exploits, and exposes the advanced post-exploitation features. Armitage is incorporated with Kali distribution. If you are required to do Penetration testing, then you will have to use both the tools together. Let’s learn how to work with the Armitage GUI. At first, open the Metasploit console and go to Applications -> Exploit Tools -> Armitage ereMetasploit Next, you will get to see the following screen. it |serees ¥ [gas | Pocewes) 1] creas iz 4 erie i065¢ x Armitage is very user friendly. Its GUI has three distinct areas: Targets, Console, and Modules, + The area Targets lists all the machines that you have discovered and those you are working with. The hacked targets have red color with a thunderstorm on it. After you have hacked a target, you can right-click on it and continue exploring with what you need to do, like exploring (browsing) the folders. + The area Console provides a view for the folders. Just by clicking on it, you can directly navigate to the folders without using any Metasploit commands. + The area Modules is the section that lists the module of vulnerabilities. 14Pro Console is a commercial console version of Metasploit. It is available for Linux, Microsoft OS, and OSX. Metasploit Pro can help penetration testers to: + Leverage the Metasploit open source project and its leading exploit library * Manage data in large assessments = Control compromised machines and take over the network ‘+ Automatically generate reports containing key findings + Improve security by prioritizing exploitable vulnerabilities, ‘+ Prove effectiveness of remediation or compensating controls to auditors * Get comprehensive visibility of user risks by integrating with Rapid? Userinsight + Test the effectiveness of security controls ‘+ Simulate phishing campaigns for thousands of users Metasploit Pro offers a command prompt and a WEB UL. To use Metasploit Pro, you need to purchase it from Rapid7 and install it on your system, In Windows environment, to launch Metasploit Pro, go to: Start -> All Programs -> Metasploit -> Metasploit console. [0 ter ae ||5-ee/ De es = | | Ready 280 ™. 15Metasploit If you are working in Linux environment, the open the command line terminal and type sudo msfpro. 2ee errr Ce ah aT ero et Sc sudo] password for tdoan [eae Poe CR co eee meat RScnsu co tae oC beageas ras II reg ras beatae raCn iar ripe A elease [core:4 Poser rst gese iia Pon Creer a ee ploit Pro extensions have been activated ssfully loaded plugin: pro6. Metasploit — Vulnerable Target A vulnerable target is a machine or device with an unpatched security hole. It makes the host vulnerable, which is the target in this case. For testing purpose, Rapid7 has created a VM machine with plenty of vulnerabilities. Keep in mind that you are not allowed to penetrate any device without permission. Hence, you need to download metasploitable which is a Linux machine. Metasploitable can be downloaded from: https://information.rapid7.com/metasploitable- download. htmI?LS=1631875&CS=wel 6 este Box 7 ad?) Metasploitable - Virtual Machine to Test Metasploit ‘arget mache for eralunting Merarpo Sownoal free version now yours tokeep Fill out the form to register yourself. Next, you will get the following screen with a direct link to download Metasploitable, What fs Metanloltable? How dows it work? RAPID) Thank you for registering for Metasploitable To download Metasploable, dick here! De you have a copy of Metasploit to we agaist etaspo hic ny meme soma niece ‘Fee Metaspalt Sioa DownloadMetasploit Next, open the VirtualBox Manager and go to Machine -> New. ne Fea Sama oS 2 Click “Use an existing virtual hard disk file" and browse to the location where you have downloaded Metasploitable. Click Open. Seat 18On the next screen, click Create. Create Virtual Machine [Name and operating ayer Metasploit ame: [Matoepoitable { Tre: (Lina (version: [Ubu (650) Memory sze v8 Hard disk © Do not adda vituahard dik © Create a viral hard denon © Use en existing vituel hard disk fle ‘Matasplaitabe vmdk (Neem, 8.00.65) Now, you can login to Metasploitable using password: msfadmin. Soir erGs foreres rere cures ie Create Cancel the default username: msfadmin and Guded Vode aera B08 258020 Seem 19The first phase of penetration involves scanning a network or a host to gather information and create an overview of the target machine. Discovery Scan is basically creating an IP list in the target network, discovering services running on the machines. To do this in Metasploit, we will use the command promp which are NMAP commands incorporated in Matasploit. For more information on NMAP and its commands, go to Now Jet's see in practice how it exactly works. We started the target machine (Metasploitable) and the Windows Server 2003 machine with the IP 192.168.1.101 ca cae ee ee err ett frane:0 TK packets:Z9 errors:@ droppe eee) 0 ceo es cre eer tn mn Crm Serres eet ero ee) Scope Hos Cecre aes dropped:0 overruns:@ frane:0 Cree eee meester) collisions:0 txqucuelen:0 ae Cree SMe PaCS CEC MeCECEE SS) Bren nee aor ete 20 OE) roccn Next, we will start Metasploit. Here, we are using Kali Linux. Hence, the commands will always start with nmap.Metasploit Let’s start to scan the network with range 192.168.0.0/24 and discover the machines. root@kali:~ 200 File Edit View Search Terminal Help eee Meer oD Pes ae aCa tas emt acag ro 5 LN emt Rada i ‘As can be seen in the above screenshot, there are 5 hosts up in the network with details. Now that we found the hosts that are alive, we will try to find the OS they are running on and their background services. aiMetasploit We will try to attack the vulnerable machine with the IP 192.168.1.101. To do so, we will run the following command Nnap -sV-0 -T4 192.168.1.101 Here, + -sV parameter will detect the services with their version details. + =O is to detect the version of OS which in our case is Linux 2.6.X + -T4 is the time that we let the scan to finish You will get the following screen as an output of using the above command. MN. 228. Metasploit — Task Chains ‘Task Chains is a feature found in the Metasploit Pro version which helps us to schedule tasks and execute them. It is generally used for processes that run periodically, for example, network scanning To configure a task, let's go to Tasks -> Chains-> New Task Chain ‘Task Chains ae : == , eu wwe ustumnes ORY Hae or 2 Qa eaninne oe foe Provide a name for the Task Chain ecco ‘Task Chain Name: jaicias OQ, = =] Select from the list the task that you want to select. Let us select SCAN. MN. 23Metasploit Next, the configuration task setting will appear as shown below. Let’s add a task to the Task Chain which is the function that the server has to do after finishing the first task, To schedule the task, click the "Schedule Now" icon. “Task Chein Name: jax rask configuration form The following table will be displayed where you can select how often you want to run a task. A, 24Metasploit At the end, click the Save button to schedule the task chain ‘Schedule a Tash Chain oa9. Metasploit — Import data Metasploit is a powerful security framework which allows you to import scan results from other third-party tools. You can import NMAP scan results in XML format that you might have created earlier. Metasploit also allows you to import scan results from Nessus, which is a vulnerability scanner. Let's see how it works. At first, perform an NMAP scan and save the result in XML format on your desktop, as shown in the following screenshot. Next, open Metasploit or Armitage to import the scan results. Thereafter, use the following command to import all the host. Msf > db_import "path of xml file” The following screenshot shows what the output will look like. 26Metasploit To test whether the import file was correct or not, we can run specific commands on these two hosts and see how they respond. For example, in our case, we have listed all the hosts having the port 445 running on them,10. Metasploit — Vulnerability Scan A vulnerability is a system hole that one can exploit to gain unauthorized access to sensitive data or inject malicious code. Metasploit, like all the others security applications, has a vulnerability scanner which is available in its commercial version. With the help of a vulnerability scanner, you can do nearly all the jobs with one application. This facility is not there in the free version of Metasploit. If you are using a free version of Metasploit, then you will have to use Nessus Vulnerability Scanner and then import the results from there. Metasploit uses Nexpose to do the scan. Let’s see how to scan with Nexpose in the Pro version of Metasploit. First, add Nexpose console to Metasploit WEB UI. To do this, go to: Administration -> Global Setting -> Nexpose Console -> Configure Nexpose Console. ‘ae pr ay cote npn et em a Enter the IP of the server having Nexpose installed, Next, enter the port number, the username and the password. Select enable. Next, click the Netexpose button -> add the IP address of the host or network to be scanned -> select scan template. It will initiate the scanning processMetasploit Breet (ores at He censor) a te omen ntan) ceases 6 canara | ene oo < men I TEEEEEEEEF To view the scan result, go to Analysis -> Host.11. Metasploit — Vulnerability Validation In this chapter, we will learn how to validate the vulnerabilities that we have found from vulnerability scanners like Nexpose. This process is also known as vulnerability analysis. ‘As shown in the following screenshot, a vulnerability scanner can sometimes give you hundreds of vulnerabilities. In such a case, it can be quite time-consuming to validate each and every vulnerability. 9 a ere same es cage wenn ate te ta ene | Senn vara | Cnn aan To Or tom a om SS er ren ements cman Metasploit Pro has a feature called Vulnerability Validation to help you save time by validating the vulnerabilities automatically and give you an overview of the most crucial vulnerabilities that can be very harmful for your system. It also has an option to classify the vulnerabilities according to their severity. Let's see how you can use this option. Open Metasploit Pro Web Console -> Project - > Vulnerability Validation, ®o @ @e . °Metasploit Next, enter the Project Name and provide an easy description about the project. Then, click the Start button. Yalnerabiity Validation ate rot Ce | tomo nrg 2 omen tel Click "Pull from Nexpose". Select "Import existing Nexpose vulnerability data” as shown in the following screenshot. Vulnerability Validation ‘hs wiz inports.eoots, andvaldteslneabiitesdcoverd by Nesp, cmatepropat eeaeae = a Gsieatoone Coase i) Ed Owtnerennooreconte , ef cematehepon 31Metasploit Click Tag -> Automatically Tag by OS. It will separate the vulnerabilities for you. ‘Vulnerability Validation ® “hurwat inoets ool ant vale alnwabtes disown by Nexo EI , tomemenenet Next, go to Exploit -> Sessions and check the option "Clean up sessions when done". It means when the vulnerability will be checked, there will be interaction between the Metasploit machine and the vulnerable machine. Vulnerability Validation x ‘he maar enor elle ad aldatsvebites decoy Nerpoee ee rope MeiramReiaity Gest) 2 Patton Neon yr Poe aes) an ei D—cammctonyn (a) ® D neatentieson (Hane —F)Click Generate Report -> Start. Metasploit Vulnerability Validation * "Tis wird ieport epi, nd vadatesvulneablnesscovredby Nopace reat Proje Report isshins Hr @PoF RTF CiwoRD PullomNacoe* Nae A Repo type Ai a 20 Options ee Boompomind os vn sient (Aeomeied Cadel Vives Soteeweresosee Aoconedtonts Sete Soiseeendterione Soren ster scat adaesses 2 ecpets 2 Next, you will see a Validation Wizard. Here, you need to click the Push validations button, VUUHnHA |! 33Metasploit You will get the following screen after you have all the list of the vulnerabilities tested. erste vx \ien easel coco dvaain Toure alte easton coeye onal rere: ean anal esate unesies aporton: @ Suelo mare sacs Gems elene vaketec ut amelat 4 Sn ees Vl | ce a fons ae b mceratmeoentet goa fa rmaneeon omen 1 Oem 0 eonwmsemu Blox |i irwew nae fomn 1 lezaa fb mercmmencaninn as fae insane fom 1 lenis HST eR cura Sear ae Ba sn Twn ssa loa 1 @xnnie i | HSISOe Gun Sears Ute ox Ba» ie ‘weasonao9 [oil 1 @xcue To see the results of the tested vulnerabilities, go to Home -> Project Name -> Vulnerabilities. — et oe a ae | @ vet [Sem fone GRREEREIEETAfter vulnerability scanning and vulnerability validation, we have to run and test some scripts (called exploits) in order to gain access to a machine and do what we are planning to do Exploit using Armitage GUI We have several methods to use exploits. The first and foremost method is to use Armitage GUI which will connect with Metasploit to perform automated exploit testing called HAIL MARY. Let's see how it works. Open Kali distribution -> Application -> Exploit Tools -> Armitage. es an ood eer eee Le coe WH rnstpnpion , ees od Sey eeeMetasploit You will see the following screen which would show all the exploits that are being tested. Next, you will see the icon of the exploitable system (i.e., the system on which the exploit worked) will turn red in color with a thunderstorm pattern over it. At the console, you will see which exploit was successful, with its respective session ID. Bibvxjbox ‘num est 5 ping net sey rgsner LE ehechan creed ae pees Now you can interact with the machine. ™. 36Metasploit Exploit using Command Prompt The second way (and probably a little professional way) to use an Exploit is by the Command Prompt. From the Vulnerability Scanner, we found that the Linux machine that we have for test is vulnerable to FTP service. Now we will use an exploit that can work for us. The command Is: msf > use “exploit path” Next, use the following command in order to see what parameters you have to set to make it functional. nsf > show options This exploit shows that we have to set RHOST “target IP” Titans matches eure Tans Aca ae eaacls Next, use the commands: msf > set RHOST 192.168.1.101 msf > set RPORT 22 NC eee es ws icra ct See es me eee t(vsftpd_234 backdoor) >Metasploit Next, use the command: nsf > run If the exploit is successful, then you will see one session opened, as shown in the following screenshot, ener i eal Seer cr ote ee mre Now, you can interact with this system 38Payload, in simple terms, are simple scripts that the hackers utilize to interact with a hacked system. Using payloads, they can transfer data to a victim system. Metasploit payloads can be of three types — + Singles - Singles are very small and designed to create some kind of communication, then move to the next stage. For example, just creating a user. ‘+ Staged - It is a payload that an attacker can use to upload a bigger file onto a victim system: + Stages - Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter and VNC Injection Example Let's take an example to understand the use of Metasploit payloads. Assume we have a Windows Server 2003 machine which is vulnerable to DCOM MS03-026. At first, we will search for an exploit that can work with this vulnerability, We will use the exploit with the best RANK. cea a Next, we will use the following command to see what payload we can use with this exploit. msf > show payloads MN. 39Metasploit and see I can use payloads that will help me to upload /execute files , to make the victim as a VNC server to have a view. The above command will show the payloads that will help us upload/execute files onto a victim system, To set the payload that we want, we will use the following command — set PAYLOAD payload/path Set the listen host and listen port (LHOST, LPORT) which are the attacker IP and port. Then set remote host and port (RPORT, LHOST) which are the victim IP and port. Beret Oar eee tae 2 G 6-98-14 13:4 40Metasploit Type “exploit”. It will create a session as shown below — Now we can play with the machine according to the settings that this payload offers atAfter gaining access to a machine, it is important to take all the sensitive information such as usernames and passwords. You can perform this operation for auditing purpose as well, to analyze if the systems in your organization are using strong passwords or not. In Windows, the passwords are stored in an encrypted form which are called NTLM hash. In Windows OS, you should always look for the user having the number 500, which signifies that the user is a superuser. In the free version of Metasploit, hash credentials have to be saved in a text file or in the Metasploit database. Example Let's use the scenario that we have used in the previous chapter. Assume we have a Windows Server 2003 machine which is vulnerable to DCOM MS03-026. We gained access to this system and inserted the meterpreter payload ‘The command generally used in meterpreter is hashdump which will list all the usernames and the passwords. immmaecatitro ners You can also use Armitage to retrieve this information, as shown in the following screenshot, strove persistMetasploit ‘The commercial edition Metasploit has a separate session called Credential which allows to collect, store, and reuse the credentials. Let's see how to go about it. To collect sensitive data, first go to: Home -> Project Name -> Sessions. aa or Yt a in tpn Ss) Crs bgt Moers frst Ta he ‘ate Sessions Son > ii om Project Name -> Credentials -> Manage. As shown in the following screenshot, you will see all the passwords gained and those that could be cracked. 4415. Metasploit — Brute-Force Attacks In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters in an automated way to gain access over a host or a service. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster. In this chapter, we will discuss how to perform a brute-force attack using Metaspl After scanning the Metasploitable machine with NMAP, we know what services are running on it. The services are FTP, SSH, mysql, http, and Telnet. To perform a brute-force attack on these services, we will use auxiliaries of each service. Auxiliaries are small scripts used in Metasploit which don’t create a shell in the victim machine; they just provide access to the machine if the brute-force attack is successful. Let’s see how to use auxiliaries. Here, we have created @ dictionary list at the root of Kali distribution machine. co a B Videos Mae a tmh TompltesMetasploit Attack the FTP Service Open Metasploit. The first service that we will try to attack is FTP and the auxiliary that helps us for this purpose is auxiliary/scanner/ftp/ftp_login. Type the following command to use this auxiliary: msf > use auxiliary/scanner/#tp/ftp_login eaters see iay aco) eran ER cas , from @ Peer io Ctaeercr ro i Dy Sati carte eee era CMs cet ee um aca uxiliary(ftp Login) >Metasploit ‘As you can see, it is completed, but no session has been created. It means we were unsuccessful in retrieving any useful username and password. Attack the SSH Service To attack the SSH service, we can use the auxiliary: auxiliary/scanner/ssh/ssh_login As you can see in the following screenshot, we have set the RHOSTS to 192.168.1.101 (that is the victim IP) and the username list and password (that is userpass.txt). Then we apply the run command. As can be seen in the above screenshot, three sessions were created. It means three combinations were successful. We have underlined the usernames. To interact with one of the three sessions, we use the command msf > sessions i 3 which means we will connect with session number 3. Attack the Telnet Service The apply a brute-force attack on a Telnet service, we will take a provided set of credentials and a range of IP addresses and attempt to login to any Telnet servers. For this, we will use the auxiliary: auxiliary/scanner/telnet/telnet_login. The process of using the auxiliary is same as in the case of attacking an FTP service or an SSH service. We have to use the auxiliary, set RHOST, then set the list of passwords and run it NN. 47Metasploit Take a look at the following screenshot. Highlighted in blue arrow are the incorrect attempts that the auxiliary did. The red arrows show the successful logins that created sessions. Some other auxiliaries that you can apply in brute-force attack are: + SMB service: auxiliary/scanner/smb/smb_login + SNMP service: auxiliary/scanner/snmp/snmp_login 4816. Metasploit — Pivoting Pivoting is a technique that Metasploit uses to route the traffic from a hacked computer toward other networks that are not accessible by a hacker machine. Let’s take a scenario to understand how Pivoting works, Assume we have two networks: + Anetwork with the range 192.168.1.0/24 where the hacker machine has access, and ‘+ Another network with the range 10.10,10.0/24. It is an internal network and the hacker doesn’t have access to it. The hacker will try to hack the second network this machine that has access in both networks to exploit and hack other internal machines. In this scenario, a hacker will first break into the first network and then use it as a staging point to exploit and hack the internal machines of the second network. This process is known as pivoting because the hacker is using the first network as a pivot to get access into the second network. IP: 192.168.1.108 IP: 192.168.1.102 IP interal:10.10.10.101 Network 192.168.1.0/24 Network 10.10.10.0724 Let’s try to understand how it works. We will take a Windows Server 2003 system with DCOM vulnerability and we will use this vulnerability to hack this system.Metasploit TRU creer rere Tt See mst eT Now that we gained access to this system, let's interact with the session with the command session -i 1 where "1" is the number of the session that was created. meterpreter > sessions -i 1 [+] star eeu) Now, let’s use the command ipconfig to find out if this host has access to other networks. The following screenshot shows the output. You can observe that this host is connected with two other networks: = one is a loopback network which is of no use, and «the other network is 10.10.10.0/24 which we will explore. MN. 50Metasploit poe Metasploit has an AutoRoute meterpreter script that will allow us to attack this second network through our first compromised machine, but first, we have to background the session. ee TT eet i esc Adding route toward the internal network with range 10.10.10.0/24 OSCE Now that we have route the traffic (Pivot), we can try to scan the host found in this network, SCP ae ees td SOURCE) RUM eR A ences. Tact We did a port scan on host 10.10,10.102. The following screenshot shows the result.Metasploit Now we have gained access to the internal network. However, if you lose the session of the hacked machine, you will lose access to the internal network too, 52In this chapter, we will discuss how to maintain access in a system that we have gained access to, It is important because if we don’t maintain access, then we will have to try to exploit it from the beginning in case the hacked system is closed or patched The best way is to install a backdoor. For the hacked machine Windows Server 2003 that we exploited in the previous chapter, we set the payload of meterpreter and this payload has a backdoor option called metsve. We can use this backdoor option to get access to the victim machine whenever we want, but this backdoor comes with a risk that everyone can connect to this session without authentication. Let us understand in detail how it works in practice, We are at a stage where we have exploited the Windows Server 2003 machine and we have set meterpreter payload. Now we want to see the processes that are running on this machine and hide our process behind a genuine process Type "ps" in meterpreter session to see the victim processes. We like to hide our process behind explorer.exe because it is a process that runs at startup and it is always present. To do this, use the command: "migrate PID number" as, shown in the following screenshot. Pee ties OR Cee me ceca RCC eee eae To install backdoor, type run metsve. While running, you will see the port that was created and the directory where the files are being uploaded.Metasploit To connect with this backdoor, we need multi/handler with a payload of windows/metsvc_| Metasploit — Privilege Escalation ‘After we have exploited and gained access to a victim system, the next step is to get its administrator rights or root permission. Once we get this privilege, then it becomes very simple to install, delete, or edit any file or process Let’s carry on with the same scenario where we have hacked a Windows Server 2003 system and put the payload meterpreter. Meterpreter uses the "getsystem" command to escalate privileges. But first, we have to Use the "priv" command to prepare the hacked system for privilege escalation. Next, run the “getsystem" command eT Sc RC eC Cement meterpreter > getuid Pear ee ee UA As you can see, we have actually logged in as an administrator,8. Metasploit - MetaModules MetaModules are complex and automated security tasks, designed to help security departments to do their job more efficiently, like testing firewall ports which are open and closed, testing default credentials, etc. MetaModules are new features that are introduced in Metasploit Pro (the commercial version). You should keep in mind that the MetaModules with best rating of stars will you provide the best results. To open MetaModules, go to Home -> Project Name -> Modules -> MetaModules. re tage Frag et tl Detacnboit Cita Senn mpis Wb pe ‘yan Ta Dp Bsn Cee Oops hasan Meme Gener Oc x Scie “eget te Sats pean Sten (9) ‘As you can see, we have six metamodules to serve different requirements. Segmentation and Firewall testing This MetaModule runs a full Nmap SYN scan against an external server hosted by Rapid7 that acts as an egress scan target. Use this MetaModule to discover outbound ports on a firewall that an attacker can use to filter information. You will need to specify the ports and protocols that you want to audit.Metasploit To run this MetaModule, click the Launch button and follow the instructions in there. It will show you a report of open, closed, and filtered ports, just as shown in the following screenshot. Seonenaton a Fowl one EES 998 0 2 : Cove ers Fikes pote Credentials Domino This MetaModule uses a valid login or an active session to perform an iterative credentials attack that collects credentials from compromised hosts. It reuses collected credentials to identify other possible attack routes. This MetaModule runs until it tries all credentials or reaches a termination condition. To run this MetaModule, click the Launch button on the opening screen. It will produce the following screenshot wherein you have to choose the HOST IP and the Login credentials to be tested. ‘credentials Domino fore nitrate crearsttoed tack ane ono! ‘eet lot ecko ful (heose he lognorsesion you want ue sabe stack os sess * 2Metasploit If the credentials that you have entered is correct, then it will produce the following result. 0 0 neve cedetalcaptred SSH Key Testing This MetaModule attempts to log in to systems with a recovered SSH key. It records the success and failure results for each service. You will need to specify the user name, the SSH key filename, and the range of hosts that you want. To run this MetaModule, click Launch on the opening screen. It will display the following screen, SSH Key Testing x login totes ons trgtrange wih eevee pate Soke) andrepeis thee that twas able te sucess scope Address Range {931601 1001223681.110 DioenarateRepert cance 57Metasploit Enter Credentials and click the Launch button, SSH Key Testing te key andrepans me ress ti Credential? © csersjoowncreceis pir Username | aamin Nofiesolcted Choose Key file Passive Network Discovery This MetaModule is designed to sniff traffic to discover hosts and services on a local network. Since it does not send any packets, you can run this app to conduct a stealthy network discovery scan and identify any hosts, services, and clear-text credentials. To run this MetaModule, click the Launch button on the opening screen. It will display the following screen. LK. 56Metasploit Passive Network Discovery * Steatily monitors broadcast raft me acreses crass on znenetierk an updetes the Hosts pape win te information net a fc Pap coniguation inate Acenerate report Masini ie Size 640m | ax oa Sire 256.04 | | Select the Network interface (Generally they are automatically discovered). Click Filters. Thereafter, check all the protocols that you want to monitor. In this case, we checked only HTTP.Metasploit Passive Network Discovery # ‘Stes montors wooskert acto eri helPsdarecce of host onthe nara undoes he Hoss page th he infront fi FPeap configuration paehat Finer @ selec protecals frm ie flowing fist janually ener BFF sting ters = 1 tneret control Message Protocol (GMP) saa 17 remote neseapFratocal OP) vaca secu set (ssi) Advan 1 server ttesuge lock (mn) due 1D simple ewok Management Protocol (SMP) Advan HA wen Tate parrenrTes) Adve 1D bynamic Host Conigration Protocol (HCP) avancea 1 oman ame Spat (ONS) Aaa Genened BF Suing 2] cance FE You will get the following screen with captured data and packets. If any IP or credential is, found, it will also be displayed. 1000 409.9KB 0 Pret cated to19. Metasploit — Social Engineering Social engineering can be broadly defined as a process of extracting sensitive information (such as usernames and passwords) by trick. Hackers sometimes use fake websites and Phishing attacks for this purpose. Let us try to understand the concept of Social Engineering attacks through some examples. Example 1 You must have noticed old company documents being thrown into dustbins as garbage. These documents might contain sensitive information such as Names, Phone Numbers, ‘Account Numbers, Social Security Numbers, Addresses, etc. Many companies still use carbon paper in their fax machines and once the roll is over, its carbon goes into dustbin which may have traces of sensitive data. Although it sounds improbable, but attackers can easily retrieve information from the company dumpsters by pilfering through the garbage. Example 2 ‘An attacker may befriend a company personnel and establish good relationship with him over a period of time. This relationship can be established online through social networks, chatting rooms, or offline at a coffee table, in a playground, or through any other means. The attacker takes the office personnel in confidence and finally digs out the required sensitive information without giving a clue. Example 3 A social engineer may pretend to be an employee or a valid user or an VIP by faking an identification card or simply by convincing employees of his position in the company, Such an attacker can gain physical access to restricted areas, thus providing further opportunities for attacks. Example 4 It happens in most of the cases that an attacker might be around you and can do shoulder surfing while you are typing sensitive information like user ID and password, account PIN, etc.Metasploit Social Engineering Attack in Metasploit In this section, we will discuss how you can initiate a Social Engineering attack using Metasploit. First of all, go to the Home page of Metasploit and click Phishing Campaign, as shown in the following screenshot. Yrmetaspiot 6 Cui stare waar Giobal Project Listing ime oa Daw ome ia Jg@ 7 we a a Enter the name of the project and click Next. Phishing Campaign e First create a project to store the phishing campaign. Then, click the Next button to launch the phishing campaign configuration page create Project [Project Name Adaress Range A aesriet to nerworkrange Advanced 2 DescriptionMetasploit Enter the name of the campaign. In our case, it is Lab. . Next, click the E-mail icon under ‘Campaign Components. © Le On the next screen, you need to supply the requested data according to your campaign. Cogs Ese e@o ec ec) —_ Next, click the Content icon (number 2) if you want to change anything in the content of the email. After changing the content, click Save. ofe 1Metasploit Next, click the Landing Page icon to set the URLs where you want to redirect your tricked users. reingcangain CO catan arpa =) fa As shown in the following screenshot, enter the URL at Path and click Next. ‘igs nage Seige ee On the next screen, click the button Clone Website which will open another window. Here, you need to enter the website that you want to clone. As you can see in the following screenshot, we entered tutorialpoint.com in this field. Next, click the Clone button and save your changes. ov aC a 64Metasploit Next, click the Redirect Page button. Click Next and you edie Pa Cote a e | You can click the Clone Website button to clone the redirected website again. Next, in the Server Configuration section, click the E-mail Server button.Metasploit On the next screen, enter mailserver settings that will be used as a relay to send this, phishing email. Then, click Save. In the Notifications section, there is an option to Notify others before launching the campaign. You can choose to use this option to notify others. Then, click Save. Next, you will see a new window. Here, you need to click the Start button to initiate the process of sending phishing mails. Metasploit has options to generate a statistical report of your phishing campaign. It will appear as shown in the following screenshot. LK. 6620. Metasploit — Export Data In this chapter, we will see how to export data which, in a way, is a backup of your projects. Later on, you can import this backup to another Metasploit project. This feature "Export Data" is available in both the free version as well as the commercial version of Metasploit. If you want to export data from Metasploit Pro, then it will store a copy of the file in the location "/path/to/metasploit/apps/pro/exports”. ThiePC > Loca Diek(C) > metasploe > appe > pro vo) sed Datemonied | ype ee ‘yaratts 1240 PM Folder ‘urayanis zat PMI Fielder ‘ayvranie 1249 PMI Fileolder ‘1/2016 1248 PMiefolder ‘arv42016 1248 0M Fielder 71/2016 1258 PMFlfolder svayzais reas PMFilefolder "Wiajsaie aa Peeler ‘ygy2016 1020 84 Fefalser ‘ayuaranis 123M Filefalder ‘y1y2006 1243 PMA Fielder ‘ayant 1245 PMI Fielder a/yzni6 eat PMI Fileolder ‘ig0t6957 AM Fielder ‘ytyant6 1248 PM leolder ‘uants 1248 PM Flefolder The files that are stored in this directory will match the list of exports displayed in the web interface. You can find and view the export log in the following directory: "/path/to/Metasploit/apps/pro/ui/log". The export log is named "exports. 1og".Metasploit [> ThePC > Local (G) > metmplok > pe > pro? vi > To clear the export log, you will need to remove it from the log directory, which is located at "/path/to/Metasploit/apps/pro/ui/log". Exporting Data in Metasploit Pro To export data, go to Home -> Project Name -> Exports -> Export Data. Graken ser ae ao ace ae eS = ‘papa Soiree On the next screen, you can choose the file format in which you want to store the export data. * PWDump ~ A text file that contains all of the credentials for a project, including plaintext passwords, SMB hashes, and SSH keys. Credentials can be masked to enumerate user names only. * Replay script — A batch file that reruns tasks that opened sessions on target hosts. Areplay script consists of multiple resource files (.rc) + XML —An XML file that contains the attributes for most of the objects in a project and can be imported into another project. + ZIP Workplace — A zip that contains an XML export and any loot files, report files, and tasks logs,Metasploit (een Type (er sae At Export Type, enter a file name for the export data. Next, at Address Settings, enter the IP of the hosts. Next, in the Options section, you can choose to hide your credentials by clicking on the checkbox Mask Credentials. Then, click the button Export Data. per pe Ata aig Optone The following screen will be displayed where you can see the exported file, of Pip ration gs Table wlth soyMetasploit Click Download to retrieve the exported ope OES =—9® i An, & Goersees. deere te tatoea ue unt partes (8 hates, 2 sence) 1 32.3681 a024es/ce (om) ‘antiserties2: BESS oat eSclcacb:DLAD50B8N7 faba AHN: = 2,058.1 202:485/ep (6) ase aosa.amzanrecp (2) 1 32.3581. 202-tas/ecp (20) ‘antes Sesion rotr oti sseDesesiOus 2567 oeb220aSeTe0 4 2.68. 1a02 38/9 (se) 1 sn.ase. a. a0zs38/cp (2) Sant 2 ft 27 ete OCOS0ELLoe-]ONC6744oADcaeb22FoSaT es 1 92.1581. 302445/ee (om) = 2. a68 1. t0aessep (6)21. Metasploit — Reports Metasploit has in-built options that you can use to generate reports to summarize all your activities and findings. In this chapter, we will discuss how you can generate reports in Metasploit. To create reports in Metasploit, follow the steps given below: 1. 2 5. 6. Go to Home -> Reports -> New Report. Select a Report Type according to your needs. If you click the "2" icon, it will show you information on every type of report. In the Name field, provide a file name. In the Sections field, check the options as per your requirement. Similarly, in the Options field, check the options as per your requirement. In the Email Report section, you can enter the email IDs of the recipients to whom you would like to mail the report directly. MN. 71Metasploit 7. Next, click the Generate Report button. oe mathe Your report is now generated. Next, to we all your reports, go to Reports -> Show Reports. pasar Son tty _ ses _ Crea a Seved poe SC 7 pose a 3 = You can view your reports by clicking View under Actions. Executive Summary ‘Tarot rena a seciy wt promod ug Map Po fom Rape. cng conkenl nfmaten set Revaira yesonon noone tometer meter penal ey low hom serps You roe ‘wing his est, 2 hosts wth otal of 33 exposed services were covered modes were success i and 19 fg ‘edi wore cba The mos common mode used fo compromae eons was ‘anharyporscannerstsh fog _cederta, which opened T sessions Major Findings ‘Compromised Hosts Vulnoabity Nome Po ee lL ee ee OO — = oe SE a or ——— a Discovered Operating Systems: Operating Systom Hosts Services Volnerabities me ‘ 2 os Hostname TT AN. n