On Wednesday [[2023-08-30]] Women4Cyber organised an event at our Helsinki office. Due to some time table shuffling, I was asked to hold the talk. The topic was given: Metasploit. Here is what happened next!
First of all great job and big thanks to everyone involved in the Women4Cyber group, both organising and participating in the event. It had great atmosphere and lots of smiling people.
But the talk! Oh dear, where to begin? Besides all the web based documentation and blog posts there are few good books written about the topic. I like the approach of Kennedy D., O’Gorman J., Kearns D., Ahoroni M.: Metasploit: The Penetration Tester’s Guide (2011). Though old, it still is a good starting point for anyone interested in the Metasploit framework. Good news is that 2nd edition is coming in 2024. Another one I like (and free eBook!) is The Easiest Metasploit Guide You’ll Ever Read by Scott Morris. Armed with these I got to the task.
I was given data polled from the participants of their knowledge level before the event. This left me facing an interesting dilemma: while others told they were somewhat familiar with the tool, others had not even heard about it before. This probably meant that the overall technical skills varied greatly. How to keep everyone engaged without resorting to just talking? How to engage everyone, regardless of prior knowledge? And not get stuck in the swamp of trying to get everyone installed and running in the space of the event?
So I set about working around the problem: create environment where participants can log in and use Metasploit and follow along without installing anything and test the framework against a “live target”. I settled on running Kali Linux on AWS EC2 instance and used Docker to run several Metasploitable test machines. This posed several problems and though I thought I managed to handle most of them, things did not quite work out the way I expected once we as a group started to pound those targets! Shows that having a backup plan is crucial. Thankfully we still got to use few modules and got overall feeling of the Metasploit framework.
As promised after the event, here’s what I had planned as a path to enumerate and exploit the targets.
IMPORTANT NOTE! Never ever ever scan or attack services you do not own or have explicit permission to attack against. This can result in real serious legal trouble. Always make sure your tools only work against intended target. Finally, you are responsible for any software you decide to run. Be sure, be certain, be safe.
Metasploit framework and Metasploitable 3
Metasploit comes installed by default in Kali, but can be installed in other systems as well.
Metasploitable can be difficult to set up. Suggest reading Setting up a vulnerable target.
Note that you absolutely do not need Metasploitable to test Metasploit. Just navigate to your favourite CTF page and choose a target to test it against. Notable CTF services include Hack the Box and Try Hack Me. Both are good fun and a great way to learn.
SSH and terminals
As those who were present probably remember we used SSH to connect to our Metasploit instance running in the cloud. At least some people ran in to the classic “oh damn, I closed the wrong window and now have to start from scratch”. As you might have guessed, this is pretty common. Common enough, in fact, that there’s tooling to get around the problem!
Introducing two excellent tools that everyone should know: screen and tmux. Which ever you decide to use is down to personal preference, but put shortly: screen is easy to use, tmux has much more features. If this is the first time you hear about these tools, screen is the one you want, but if you use terminal a lot tmux might be worth the effort to learn.
But what do these do? Simply put these “terminal multiplexers” allow you to you to close the terminal window and come back to it later. For more in-depth explanation check out the man pages (manual) for the tools: https://linux.die.net/man/1/screen and https://linux.die.net/man/1/tmux
Useful commands:
ssh user@host # Connect to machine "host" using username "user"
screen # Launch a new screen
screen -r # Connect (re-attach) to a running screen
tmux # Launch new tmux
tmux a # Attach to a running tmuxDB and workspace
When using just your own computer and Metasploit instance, this is not strictly necessary, but using shared resources is easier if there is some compartmentalisation. Setting things up might be tricky so be prepared to google stuff and learn a few tricks abot Linux systems if you decide to have a go!
If this seems too much just use the msfconsole without the database. Most people do.
Useful commands:
From terminal
msfdb init # Initialize database. Only use this if you know what you are doing
msfconsole # Start the metasploit clientFrom msfconsole
db_status # Show status of the database connection
workspace # List workspaces
workspace ws_name # Create new workspace called "ws_name". If already exists,
# use workspace "ws_name"Enumeration
The most crucial part of any security testing is enumeration. Enumeration in this context means “find out all you can about the system, even stuff people running the system might not know”. In more practical level it means finding information about the specific services and versions of such services running.
When enumerating we used modules from auxiliary/scanners. Here are few, but do poke around and see what else is offered! Pro tip: use TAB to autocomplete names. Makes finding modules much easier.
Useful commands (from msfconsole):
use auxiliary/scanner/ftp/ftp_version # "Use" (load) a scanner module
info # Show information about the module
options # Show only options that can be set
set RHOSTS <IP> # Set target host address
setg RHOSTS <IP> # Set the target address "globally"
run # run the scanner
exploit # synonym for the "run" commandSetting RHOSTS globally sets it across all the modules, so you need to do it only once. Still a good idea to check before running a module that it points to the right target though.
We also ran nmap scans from within the msfconsole.
db_nmap -A <IP> # Run nmap and save information found to db
hosts # Show hosts found
services # Show services found
db_import nmap_scan.xml # Import previously run nmap resultsDo note that these don’t work unless you have database set up previously.
FTP
We found the exact FTP server software version! That means we can look for an exploit for it.
Useful commands:
search proftpd # Search for module
use 4 # From resulting list, select 4th module
set payload linux/reverse_perl # Choose a suitable payloadRemember to set the remote host (target) address! And as you might fail at first, try other exploits, tweak options and payloads, try again. Be sure to read the full info page.
SSH
SSH can be a major attack vector. While there is specialised tools for brute forcing access, sometimes we just want to test out the low hanging fruit. And for that Metasploit has modules.
Note that we need wordlist with suitable passwords! Kali comes with famous rockyou.txt that is useful in CTF situations, but might not be that useful in real life scenarios.
Let’s use the ssh_login module for this.
Useful commands:
use auxiliary/scanner/ssh/ssh_login
set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
runThese are examples, you should consider putting together a username & password lists suitable for the target.
Drupal
Common web framework found around the internet is Drupal (https://www.drupal.org). Certain older Drupal versions have quite significant vulnerability, aptly named “drupalgeddon” (https://www.rapid7.com/blog/post/2018/04/27/drupalgeddon-vulnerability-what-is-it-are-you-impacted/). And Metasploit has a module to exploit it.
Useful commands:
search drupal
set TARGETURI /drupal/Sessions and Meterpreter
Now we have few sessions!
Sessions are connections to services we attacked. Depending on the exploit we used we might have different user access levels from www-data (website user) to normal user to root (super user).
Meterpreter is this kind of session, but on steroids. You can do much more with a meterpreter session than with a normal terminal session, even in some cases look through web camera or play sound files on the target system. Those web camera blocking sticker suddenly make more sense, right?
Useful commands:
sessions -l # List open sessions
sessions 1 # Select session 1 from result list
control-Z # Press to move active session to background
search shell_to_meterpreter # Module to upgrade session to meterpreter
? # Help in meterpretersPro tip: search through post exploitation modules to scrape information from compromised system!
Exporting your loot
So now we have gathered information, credentials and materials. This is colloquially know as “loot”, but in Metasploits case it is actually called loot in the system! But (if we are using the db) it is stuck in the database. Have no fear! We can export stuff to XML! Or just dump credentials to a file. For the Excel-loving people there is even option to save data in CSV.
Useful commands:
loot # Show what loot you have found
db_export my_loot.xml # Export database contents to XML file
db_export -f pwdump -a ~/creds_dump.txt # Export credentials to pathThis is also where the paid PRO version differs from the Open Source version: PRO version has more options to generate reports based on the loot.
Final thoughts
Metasploit is a great framework full of excellent modules. It can greatly help the application of exploits to a vulnerable target. But there is always as “but”. No amount of automation can replace the work of a curious person. So use it to help you along your way, but resist the temptation of relaying on single tool over your own expertise.
Remember that the strength of a framework is in the documentation. Read it often. Google examples. Use built in help. Read the module info pages.
Metasploit is also highly tied to Ruby. To understand it more deeply, you might need to learn Ruby. Not a bad thing though, it’s a nice language.
All in all, have fun and break things!
Cyber-Punk-Jaska
