Metasploit 101

Metasploit: Introduction

Intro

Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.

Metasploit has two main versions:

• Metasploit Pro: The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface (GUI).
• Metasploit Framework: The open-source version that works from the command line. This article will focus on this version, installed and most commonly used penetration testing Linux distributions.

The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. While the primary usage of the Metasploit Framework focuses on the penetration testing domain, it is also useful for vulnerability research and exploit development.

The main components of the Metasploit Framework can be summarized as follows;

• msfconsole: The main command-line interface.
• Modules: supporting modules such as exploits, scanners, payloads, etc.
• Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create, and pattern_offset. We will cover msfvenom within this article, but pattern_create and pattern_offset are tools useful in exploit development, which is beyond the scope of this article.

Modules

A module is a standalone piece of code or software that extends the functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enable you to perform tasks with Metasploit Pro.

• A module can be an exploit, auxiliary, payload, no-operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a large system is an exploit module.

Services, Metasploit Pro runs the following services:

PostgreSQL runs the database that Metasploit Pro uses to store data from a project.

• Ruby on Rails runs the web Metasploit Pro web interface.
• Pro service, or the Metasploit service, bolsters Rails, the Metasploit Framework, and the Metasploit RPC server.

https://www.metasploit.com/

Advantages of Metasploit:

• Industry-accepted tool for testing vulnerabilities and exploits
• Simplifies complex tasks
• A myriad set of capabilities ordered in a systematic manner
• Consistent updates + contains many different types of modules

Main Components of Metasploit

While using the Metasploit Framework, you will primarily interact with the Metasploit console. You can launch it from any Linux distribution terminal using the msfconsole command. The console will be your main interface to interact with the different modules of the Metasploit Framework. Modules are small components within the Metasploit framework that are built to perform a specific task, such as exploiting a vulnerability, scanning a target, or performing a brute-force attack.

Before diving into modules, it would be helpful to clarify a few recurring concepts: vulnerability, exploit, and payload.

• Exploit: A piece of code that uses a vulnerability present on the target system.
• Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in the disclosure of confidential information or allow the attacker to execute code on the target system.
• Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, reading confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.

Modules and categories under each one are listed below. These are given for reference purposes, but you will interact with them through the Metasploit console (msfconsole).

Auxiliary

Any supporting module, such as scanners, crawlers, and fuzzers, can be found here.

Main categories of auxiliary modules:

Admin

Auxiliary modules - admin

Crawlers

Auxiliary modules - crawler

This auxiliary module is a modular web crawler to be used in conjunction with wmap (someday) or standalone.

msf > use auxiliary/crawler/msfcrawler

msf auxiliary(msfcrawler) > show actions ... actions.

msf auxiliary(msfcrawler) > set ACTION < action-name >

msf auxiliary(msfcrawler) > show options ... show and set options ...

msf auxiliary(msfcrawler) > run

Scanners

Auxiliary modules - scanners

You have all sorts of scanners that you can use to scan a target. For example, you can scan a Windows machine to see if it’s vulnerable to EternalBlue. Another example is to scan open ports on the target system and network via the portscan module. In this article, I explain how to do that.

Support for different protocols:

• DCERPC
• Discovery
• FTP
• HTTP
• IMAP
• MSSQL
• MySQL
• NetBIOS
• POP3
• SMB
• SMTP
• SNMP
• SSH
• Telnet
• TFTP
• Vmware
• VNC

Fuzzers

Auxiliary modules - fuzzers 

For finding software bugs.

Support for different protocols:

• DNS
• FTP
• HTTP
• NTP
• SMB
• SMTP
• SSH
• TDS

Encoders

Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.

Signature-based antivirus and security solutions have a database of known threats. They detect threats by comparing suspicious files to this database and raising an alert if there is a match. Thus, encoders can have a limited success rate as antivirus solutions can perform additional checks.

Exploits

Exploits, neatly organized by target system.

NOPs

NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.

Payloads

Payloads are codes that will run on the target system.

Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be: getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report. Starting the calculator on the target system remotely by launching the calc.exe application is a benign way to show that we can run commands on the target system.

Running a command on the target system is already an important step, but having an interactive connection that allows you to type commands that will be executed on the target system is better. Such an interactive command line is called a "shell". Metasploit offers the ability to send different payloads that can open shells on the target system.

You will see four different directories under payloads: adapters, singles, stagers, and stages.

• Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a PowerShell adapter, which will make a single PowerShell command that will execute the payload.
• Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run. Ex: "windows/x64/pingback_reverse_tcp"
• Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system, then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
• Stages: Downloaded by the stager. This will allow you to use larger-sized payloads.

Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.

• generic/shell_reverse_tcp
• windows/x64/shell/reverse_tcp

Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the “_” between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”. Refer to What the Shell to learn about (reverse) shells.

Meterpreter shell

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the Stager socket and provides a comprehensive client-side Ruby API.

Post

Post-modules will be useful during the final stage of the penetration testing process listed above, specifically post-exploitation.

Post Exploitation with Metasploit means the following:

Example: post Windows exploits

Note: the main modules you're going to use are: auxiliary and exploit.

Msfconsole 

As previously mentioned, the console will serve as your primary interface to the Metasploit Framework. You can launch it using the msfconsole command on your Linux terminal or any system the Metasploit Framework is installed.

Once launched, you will see the command line changes to msf6. The Metasploit console (msfconsole) can be used just like a regular command-line shell, as you can see below. The first command is ls which lists the contents of the folder from which Metasploit was launched using the msfconsole command.

It is followed by a ping sent to Google's DNS IP address (8.8.8.8). As we operate from Linux, we had to add the -c 1 option, so only a single ping was sent. Otherwise, the ping process would continue until it is stopped using CTRL+C.

It will support most Linux commands, including clear (to clear the terminal screen), but will not allow you to use some features of a regular command line (e.g., it does not support output redirection), as seen below.

While on the subject, the help command can be used on its own or for a specific command.

You can use the history command to see commands you have typed earlier.

An important feature of msfconsole is the support of tab completion. This will come in handy later when using Metasploit commands or dealing with modules. For example, if you start typing he and press the tab key, you will see it auto-complete to help.

Msfconsole is managed by context; this means that unless set as a global variable, all parameter settings will be lost if you change the module you have decided to use. In the example below, we have used the ms17_010_eternalblue exploit, and we have set parameters such as RHOSTS. If we were to switch to another module (e.g., a port scanner), we would need to set the RHOSTS value again, as all changes we have made remained in the context of the ms17_010_eternalblue exploit. 

Let us look at the example below to have a better understanding of this feature. We will use the MS17-010 “Eternalblue” exploit for illustration purposes.

Once you type the use exploit/windows/smb/ms17_010_eternalblue command, you will see the command line prompt change from msf6 to “msf6 exploit(windows/smb/ms17_010_eternalblue)”. 

Sidenote: The "EternalBlue" is an exploit allegedly developed by the U.S. National Security Agency (NSA) for a vulnerability affecting the SMBv1 server on numerous Windows systems. The SMB (Server Message Block) is widely used in Windows networks for file sharing and even for sending files to printers. EternalBlue was leaked by the cybercriminal group "Shadow Brokers" in April 2017. In May 2017, this vulnerability was exploited worldwide in the WannaCry ransomware attack.

The module to be used can also be selected with the use command, followed by the number at the beginning of the search result line.

While the prompt has changed, you will notice we can still run the commands previously mentioned. This means we did not "enter" a folder as you would typically expect in an operating system command line.

The prompt tells us we now have a context set in which we will work. You can see this by typing the show options command. The show options command shows you the parameters that you need to execute a particular module:

This will print options related to the exploit we have chosen earlier. The show options command will have different outputs depending on the context it is used. The example above shows that this exploit will require us to set variables like RHOSTS and RPORT. On the other hand, a post-exploitation module may only need us to set a SESSION ID (see the screenshot below). A session is an existing connection to the target system that the post-exploitation module will use.

The show command can be used in any context, followed by a module type (auxiliary, payload, exploit, etc.) to list available modules. The example below lists payloads that can be used with the ms17-010 Eternalblue exploit.

If used from the msfconsole prompt, the show command will list all modules.

The use and show options commands we have seen so far are identical for all modules in Metasploit.

You can leave the context using the back command.

Further information on any module can be obtained by typing the info command within its context.

Alternatively, you can use the info command followed by the module’s path from the msfconsole prompt (e.g., info exploit/windows/smb/ms17_010_eternalblue). Info is not a help menu; it will display detailed information on the module, such as its author, relevant sources, etc.

Search

One of the most useful commands in msfconsole is search. This command will search the Metasploit Framework database for modules relevant to the given search parameter. You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target systems.

The output of the search command provides an overview of each returned module. You may notice the “name” column already gives more information than just the module name. You can see the type of module (auxiliary, exploit, etc.) and the category of the module (scanner, admin, Windows, Unix, etc.). You can use any module returned in a search result with the command use, followed by the number at the beginning of the result line. (e.g., use 0 instead of use auxiliary/admin/smb/ms17_010_command).

Another essential piece of information returned is in the “rank” column. Exploits are rated based on their reliability. The table below provides their respective descriptions.

Source: https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

You can direct the search function using keywords such as type and platform.

For example, if we wanted our search results to only include auxiliary modules, we could set the type to auxiliary. The screenshot below shows the output of the search type:auxiliary telnet command.

Remember that exploits take advantage of a vulnerability on the target system and may always show unexpected behavior. A low-ranking exploit may work perfectly, and an excellent-ranked exploit may not, or worse, crash the target system.

That's a wrap!

In the next article, I'll explain how to work with the different modules -- basically, how to get comfortable with Metasploit!

References:

• https://tryhackme.com/room/metasploitintro

Resources:

• [Video] Metasploit For Beginners - Modules, Exploits, Payloads And Shells
• [Wiki] Metasploit
• [GitHub] metasploit-framework
• [Article] Metasploit