INFO3002 Ethical Hacking Principles and Practice

Lecture 5: Exploitation and Metasploit

School of Computer, Data and Mathematical Sciences

Western Sydney University
1
Where we are:

2: Scanning

1:Reconnaissance 3:Exploitation

4: Post
Exploitation

5: Writing Report
2
Lecture outline
■ Exploitation Overview
■ Metasploit Framework (MSF) Overview
■ MSF Basic Commands
■ Main Steps of Launching Attacks with MSF

3
Exploitation Basics
■ It is after a vuln is discovered on a target
■ It basically involves two steps:
▬ Run a piece of code to gain the access to the target by exploiting the
vuln.
o This piece of code is typically called an exploit.
▬ Run another piece of code to control the target, such as a shell.
o This piece of code is typically called a payload or shellcode.

4
Exploitation Tools
■ Metasploit Framework (MSF)
▬ Free Open Source Software
▬ The most popular one
▬ An important topic in this subject

■ Metasploit Pro
▬ Commercial version, by Rapid7 Ltd.

■ Core Impact
▬ Another commercial software
▬ Effective, but less popular than Metasploit

■ And more … ;
■ or you can develop exploits by yourself

5
An Important Exploit Database
■ The most popular open source database for known
exploits is exploit-db.
▬ Maintained by Offensive Security
▬ Website: www.exploit-db.com.
o May not be accessible within our university network.
▬ Git repository: https://gitlab.com/exploit-database/exploitdb
o Accessible within our university network

■ Source codes in various languages such as C, Python,

Ruby, Java, etc.

6
An Important Exploit Database (cntd)
■ If you want to conduct exploitation without using a tool such
as MSF, you can download an exploit from exploit
databases and manually apply it.
■ For the convenience to access exploit-db, Kali has a local
copy of it at /usr/share/exploitdb
■ Kali also provides a tool to search this local copy of exploit-
db called searchsploit.

7
searchsploit: tool to search exploit-db
■ Usage:
▬ searchsploit [options] term1 [term2] ... [termN]
▬ You need to give at least one term and can give as many terms as you
want

■ Main Options:
▬ -c: Perform a case-sensitive search (Default is case insensitive).
▬ -h: Show this help screen.
▬ -p: Show the full path to an exploit.
▬ -t: Search just the exploit title (Default is title AND the exploit's path).
▬ -u: Check and install exploitdb package updates.

8
Examples of using searchsploit
■ Example 1:

9
Examples of using searchsploit (cntd)
■ Example 2 (narrow down on previous results):

10
Lecture outline
■ Exploitation Overview
■ Metasploit Framework (MSF) Overview
■ MSF Basic Commands
■ Main Steps of Launching Attacks with MSF

11
MSF – History
■ An open source software developed by HD Moore in
2003.
▬ It generated great excitement at that time.
▬ It implements the common techniques needed in exploitation and
post exploitation, and allows plug-ins from third parties.

■ Acquired by Rapid7 LLC in October, 2009.

■ Since its acquisition, Rapid7 has developed a proprietary
edition called Metasploit Pro, while the basic part, still
called Metasploit Framework, remains open source.

12
MSF – Basics
■ MSF was originally implemented in Perl; by 2007, it had
been completely rewritten in Ruby.
■ MSF supports most platforms including Windows, Linux,
and Mac OS.
■ Preinstalled in Kali.

13
MSF – Architecture
■ One can more easily understand the MSF Architecture by
looking at its file system.
■ It is under /usr/share/metasploit-framework

14
MSF – Architecture – Directories
■ The following directories are important:
▬ data: data files used by Metasploit, e.g., the word list for password
dictionary attack
▬ lib: the core of the framework code
▬ modules: the arsenal of MSF, encompassing exploits, payloads,
scanners, etc.
▬ plugins: contributed from other parties

■ We will focus on modules.

15
MSF – Modules
■ Modules mainly have the following categories:
▬ exploit
▬ payload
▬ evasion: modules helping with evading anti-virus software
▬ encoder: make the payload uploaded to the target correctly
▬ nop: no operation, keeping the payload sizes as desired
▬ auxiliary: tools helping with exploitation, e.g., scanners, fuzzers,
server captures, etc.
o fuzzers generate user inputs to test an application;
o server captures pretend to be certain server to gather user credentials,
e.g., ftp capture, http capture, etc.
▬ post: contains payloads such as backdoors, privilege escalators,
etc. used in the phase of post exploitation.
16
MSF – Modules (cont'd)
■ The Modules are mapped to the following directory
structure:

17
Modules – Exploits
■ Since an exploit can only be applied to one type of OS in most cases,
the exploits are organised according to OSes in MSF:

■ Then, they are further classified according to services provided by an OS:

18
Modules – Exploits (cntd)
■ Each exploit is a Ruby script with the suffix 'rb':

■ Each exploit calls the basic APIs provided by MSF to implement an

exploitation, and can be launched by MSF.

19
Modules – Payloads
■ Payloads are broadly classified into the following three
categories:
▬ Singles
▬ Stagers
▬ Stages

20
Modules – Payloads – Singles
■ Singles can function alone to complete a task.

■ For example, They can simply add a new user or execute a command,
etc.

21
Modules – Payloads – Stagers and Stages
■ Sometimes a payload is too large to fit in the exploited
buffer at the victim, so it cannot work as a single.
■ It has to be broken into a stager and a stage.
▬ The stager is typically small and can fit into the exploited buffer. Its
execution will upload the stage into the victim's memory.
▬ The stage is typically large and needs to be specially loaded into the
victim's memory.
A mnemonic: stage is big, so stage is the bigger one

■ If a payload needs to be broken, we also say it is to be

staged.

22
Modules – Payloads – Stagers
■ There are typically two kinds of stagers:
▬ bind: create a listening TCP port at the target and wait for the TCP
connection from the attacker machine, and then load the stage.
▬ reverse: create a listening TCP port at the attacking machine and wait
for the TCP connection from the target, and then load the stage.

■ Note that the reverse one is more powerful, as most

firewalls won't filter outbound connections.

23
Modules – Payloads – Stages
■ Examples of stages include:
▬ Shell: provides a command line terminal of the compromised OS.
▬ Meterpreter (to be talked about next week): provides a command
line terminal with specialised commands for hacking.
▬ VNC injection: provides a graphical remote desktop.
▬ And much more ...

24
A Tally of different types of modules
■ As displayed after MSF starting up, the numbers of
different modules are roughly as follows:
▬ Exploit: 2300
▬ Payload: 1000
▬ Auxiliary: 1200
▬ Post: 400
▬ Encoder: 45
▬ Nop: 10
▬ Evasion: 10

25
Lecture outline
■ Exploitation Overview
■ Metasploit Framework (MSF) Overview
■ MSF Basic Commands
■ Main Steps of Launching Attacks with MSF

26
MSF – User Interfaces
■ MSF supports the following user interfaces, each with its
strengths and weaknesses:
▬ Command-Line Interfaces
o msfcli: simple to use, but not so powerful as msfconsole; good for scripting
o msfconsole: interactive, having access to almost every feature of
MSF, but not good for scripting.
▬ GUIs
o Metasploit Pro: the commercial one
o Armitage: written in Java, an open source one.

■ This subject will focus on msfconsole as it is the most

powerful and helps with understanding.

27
Msfconsole – Starting
■ Start the PostgreSQL database daemon, as MSF uses the
PostgreSQL as the backend.
▬ sudo service postgresql start
o PostgreSQL is another open source database competing with MySQL

■ Initialise the MSF database named 'msf' in PostgreSQL

▬ sudo msfdb init
o only do it once when msfconsole is to run for the first time

■ Launch msfconsole (will take a little while)

▬ sudo msfconsole

Before Kali 2020, 'sudo' is not needed before ‘msfconsole’. However,

since Kali 2020, make sure to include 'sudo’, otherwise your msfconsole
will behave very limitedly.
28
Msfconsole – Basic Commands
■ Msfconsole includes many commands; the following lists
some basic ones.
▬ help
▬ info
▬ search
▬ use
▬ back
▬ exit

Reference: https://www.offensive-security.com/metasploit-
unleashed/msfconsole-commands/

29
Commands – help
■ help: list all available commands
■ help <command name>: display the usage of a command.
E.g.,

30
Commands – info, check
■ info <module name>: providing detailed information about
a module including module description, vuln references
(CVE, BID, URLs), etc.
▬ E.g., msf > info exploit/windows/smb/ms03_049_netapi
o The output is very long. You should try it in msfconsole yourself.

■ check: this command is used under an exploit context. It

checks if that exploit can be applied successfully without
actually applying it. E.g.:

31
Commands – search
■ search <patterns>: looking for a module by searching the
patterns in module name, description, references, etc.
▬ E.g., search eternalblue windows

■ "Rank" indicates the usability of this module. Ranks include:

excellent, great, good, normal, average, low, and manual.
■ "Check" indicates if the 'check' command is supported.
32
Commands – search (cntd)
■ You can also search by using keywords.

33
Commands – search (cont'd)
■ In addition to the cve or bid mentioned in the last slide, you
can also search by using Microsoft Security Bulletin ID for
an exploit.
▬ E.g., MS08-067: https://docs.microsoft.com/en-us/security-
updates/SecurityBulletins/2008/ms08-067

34
Commands – search (cntd)
■ If you encounter the following ‘database cache’ error in
doing search,

■ You can fix it by:

1. Under msfconsole, run ‘db_rebuild_cache’
2. Under Kali terminal, run ‘sudo service postgresql restart’

35
Commands – use
■ use <module name>: Select a module to use and enter the
context of that module.

■ Under a module context, you can issue commands related

to that module. We'll come back to this topic later.

36
Commands – sessions
■ sessions: list the current sessions obtained for controlling the
target.

■ sessions -i <session ID>: enter the session with that ID.

37
Commands – back and exit
■ back: exit from a module context.
■ exit: exit from msfconsole.

38
Lecture outline
■ Exploitation Basics
■ Metasploit Framework (MSF) Overview
■ MSF Basic Commands
■ Main Steps of Launching Attacks with MSF

39
The Main Steps of Launching Attacks
1. Search the exploits for a vuln (using those keywords related to
this vuln)
2. Select the exploit with a good rank using the 'use <exploit
name>' command.
3. Show the compatible payloads for this exploit using the 'show
payloads' command
4. Select the payload using the 'set payload <payload name>'
command
5. Show the options for the exploit and the payload using the
'show options' command
6. Set the options using the 'set <option name> <value>'
command
7. Launch the attack using the 'exploit' command

40
Notes for the main steps
■ This sequence of steps has a natural logic behind it. If you
understand the logic, it is very easy for you to remember
these seven steps.
■ The steps 3 and 4 for selecting a payload are optional.
▬ If you omit steps 3 and 4, MSF will pick a suitable one according to
its own intelligence.

41
An Example – Exploiting the
UnrealIRCd vulnerability
■ According to the GVM report on Metasploitable2, it runs
the Unreal IRC daemon UnrealIRCd version 3.2.8.1.
▬ Note: IRC (Internet Relay Chat), a chatting tool

■ This version contains a backdoor, which can be triggered

by sending the daemon letters "AB" followed by a system
command.
■ Let's see how we can exploit this vuln using MSF.

42
An Example – Step 1
■ Choosing a good search string is very important.
■ For this example, all of the following strings will lead you to
the exploit you want.
▬ unreal_ircd
▬ unrealircd
▬ cve-2010-2075

43
An Example – Step 2
■ Since the returned exploit has a good rank, select it by the
'use' command.

■ You can also specify this exploit by its index from search
results:
▬ 'use 0' is equivalent to
▬ 'use exploit/unix/irc/unreal_ircd_3281_backdoor'

44
An Example – Step 3
■ Show the compatible payloads.

■ You can use the 'info' command to get detailed description

about a payload.
45
An Example – Step 3 (cont'd)
■ Understanding the payload name:
▬ 'cmd' means this payload will give you a command shell.
▬ 'unix' means this payload works in unix-family OSes.
▬ 'bind' and 'reverse' tell us about the stager and hence its direction of
TCP connection.

46
An Example – Step 4
■ Select a payload. Suppose we select the first one, knowing
that
▬ The connection to target will not be blocked by firewall.
▬ The perl program is available on target machine

47
An Example – Step 5
■ Show options for exploit and payload.

48
An Example – Step 6
■ Set options. We see the values for RHOSTS and RHOST
(Remote Host) are missing, so we need to set them. The
option names are case insensitive.

■ The setting of RHOSTS will be populated to RHOST

automatically, so you don't need to set RHOST separately.

49
An Example – Step 7
■ Launch the attack by entering 'exploit'.
▬ When seeing "session n opened", you’ve gained a Linux shell at target
▬ NB: there is no prompt for the gained shell, but you can start entering Linux
commands such as "id", "pwd", etc.

To exit the shell, enter Ctrl + C.

50
2nd Example – If Omitting Steps 3, 4
■ Exit MSF, and start it again. Then, omit steps 3 and 4 in this attack. MSF
will cleverly select the payload with the reverse TCP connection.

51
Example Short Answer Question:
■ Explain what is 'searchsploit' and the syntax of using it.

52
Lecture Summary
■ Exploitation is the 3rd stage of Ethical Hacking,
responsible for gaining access to the target by leveraging
the vulns discovered in stage 2.
■ MSF implements the common exploitation techniques
today, and can be conveniently used to exploit poorly-
protected targets.
■ MSF has a rich command set. You should master those
commands covered in this lecture.
■ Due to the easy availability of hacking tools, it is crucial to
patch your software and system regularly.

53
References
■ Online Tutorial from Offensive Security: Metasploit
Unleashed
▬ https://www.offensive-security.com/metasploit-unleashed/

■ The web links mentioned in the slides of this lecture

54