Learning Metasploit Exploitation and Development

(1)

(2)

Learning Metasploit Exploitation and Development

Develop advanced exploits and modules with a fast-paced, practical learning guide to protect what's most important to your organization, all using the Metasploit Framework

Aditya Balapure

BIRMINGHAM - MUMBAI

(3)

Learning Metasploit Exploitation and Development

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals.

However, Packt Publishing cannot guarantee the accuracy of this information.

First published: July 2013 Production Reference: 1160713

Published by Packt Publishing Ltd.

Livery Place 35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78216-358-9

(4)

Credits

Author

Aditya Balapure

Reviewers

Kubilay Onur Gungor Abhinav Singh

Acquisition Editor Kartikey Pandey

Lead Technical Editor Ankita Shashi

Technical Editors Dennis John Priya Singh Sanhita Sawant Aniruddha Vanage

Copy Editors Insiya Morbiwala Aditya Nair

Laxmi Subramanian

Project Coordinator Gloria Amanna

Proofreaders Katherine Tarr Stephen Silk

Indexer

Hemangini Bari

Graphics Ronak Dhruv

Production Coordinator Nilesh R. Mohite

Cover Work Nilesh R. Mohite

(5)

About the Author

Aditya Balapure

is an information security researcher, consultant, and an author with expertise in the fields of Web Application Penetration Testing and Enterprise Server Security. Aditya has 3 years' of practical experience in the field of information security. He has quite a few credentials to his name, such as Associate of ISC2 (CISSP), CEH, ECSA, MCP, a few international publications, as well as a few research articles. His deep interest in vulnerability assessment and offensive penetration testing groups him among the white hats of the information security arena. Aditya is extensively involved in conducting corporate trainings in addition to his constant hobby of vulnerability disclosure and security research.

I would like to thank God, my parents, and my friends who have been of valuable help to me always, throughout my life.

(6)

About the Reviewers

Kubilay Onur Gungor

has been working in the IT Security field for more than 7 years; he started his professional security career with the cryptanalysis of images—

images encrypted using chaotic logistic maps. He gained experience in the Network Security field by working in the Data Processing Center of Isik University where he was the president of the Information Security and Research Club. After working as a QA tester on the Netsparker Web Application Security Scanner project, he continued his career in the Penetration Testing field with one of the leading security companies in Turkey. He performed many penetration tests and consultancies for the IT

infrastructure of several large clients, such as banks, government institutions, and telecommunication companies.

Currently (since September 2012), he is working with the Sony Europe Incident Management team to develop incident management and overall cyber security strategies.

Kubilay has also been developing multidisciplinary cyber security approaches, including criminology, conflict management, perception management, terrorism, unconventional warfare theory, international relations, and sociology. He is the founder of Arquanum Multidisciplinary Cyber Security and Intelligence, an

international research society for implications of implementing different disciplines into cyber struggles.

Kubilay has participated in many security conferences as a frequent speaker.

Besides security certificates, he holds Foreign Policy, Marketing and Brand Management, and Surviving certificates.

He is a full-patch member of the Freedom Riders Motorcycle Club.

(7)

Abhinav Singh

is a young information security specialist from India. He has a keen interest in the field of Hacking and Network Security and has adopted this field as his full-time employment. He is the author of Metasploit Penetration Testing Cookbook, Packt Publishing, a book dealing with pen-testing using the most widely used framework. Abhinav's work has been quoted in several portals and technology magazines. He is also an active contributor to the SecurityXploded community. He can be reached via e-mail at [email protected]. His Twitter handle is @abhinavbom.

I would like to thank my grandparents for their blessings, my parents for their support, and my sister for being my perfect doctor.

(8)

www.PacktPub.com

Support files, eBooks, discount offers and more

You might want to visit www.PacktPub.com for support files and downloads related to your book.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

TM

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.

Why Subscribe?

• Fully searchable across every book published by Packt

• Copy and paste, print and bookmark content

• On demand and accessible via web browser

Free Access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.

(9)

(10)

Preface

Learning Metasploit Exploitation and Development is a guide to real-world network hacking with the best tricks to master the art of exploitation.

This book has been designed in well-defined stages to facilitate effective learning.

From the actual setup to vulnerability assessment, and finally exploitation, this book gives in-depth knowledge of penetration testing. The book deals with vulnerability assessment exercises with some of the industrially-used tools and report making tips. It covers the topics of client exploitation, backdoors, post-exploitation, and also exploit development with Metasploit.

This book has been developed keeping in mind a practical hands-on approach so that readers can effectively try and test what they actually read. We are confident this book will prove to be effective in helping you develop the skills of an offensive penetration tester.

What this book covers

Chapter 1, Lab Setup, covers the complete lab setup required during the course of the book.

Chapter 2, Metasploit Framework Organization, covers the organization of the

Metasploit Framework, which includes the various interfaces and the architecture of the Metasploit Framework.

Chapter 3, Exploitation Basics, covers the concepts of vulnerability, payloads, and the basics of exploitation. We will also learn how to compromise vulnerable systems using various exploitation techniques through Metasploit.

Chapter 4, Meterpreter Basics, covers how a user compromises a system through the meterpreter and what types of information he may be able to extract using the meterpreter functionalities after exploitation.

(15)

Preface

Chapter 5, Vulnerability Scanning and Information Gathering, covers various techniques of information gathering about a victim using the modules of Metasploit.

Chapter 6, Client-side Exploitation, covers the various techniques of client-side exploitation through Metasploit.

Chapter 7, Post Exploitation, covers the first phase of post-exploitation and discusses various information-gathering techniques of the compromised system through the meterpreter.

Chapter 8, Post Exploitation – Privilege Escalation, covers the various techniques of elevating privileges after compromising a system. We will use various scripts and post-exploitation modules to achieve this task.

Chapter 9, Post Exploitation – Cleaning Up Traces, covers the various techniques of clearing our tracks after compromising a system and avoiding being caught by the system administrator.

Chapter 10, Post Exploitation – Backdoors, covers how to make a backdoor executable deploy at the compromised system for a persistent connection.

Chapter 11, Post Exploitation – Pivoting and Network Sniffing, covers the various

techniques through which we can leverage our point of contact server/system on the external network and leverage it to exploit the other systems on a different network.

Chapter 12, Exploit Research with Metasploit, covers the basics of exploit development using Metasploit, crafting exploits with Metasploit and using various payloads for the exploits.

Chapter 13, Using Social Engineering Toolkit and Armitage, covers how to use the add- on tools to the Metasploit Framework and further enhance our skills of exploitation.

What you need for this book

The software required to practice hands-on along with this book are BackTrack R2/R3, Windows XP SP2, and Virtual Box.

Who this book is for

This book is for security professionals interested in network exploitation and hacking. This guide is featured with chapters to develop the skills of an industrial penetration tester for testing industrial networks.

(16)

Preface

[ 3 ]

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: "The important directories get listed which are data, external, tools, plugins, and scripts."

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "If we want to configure our network settings manually, we can select Custom settings and then click on Next >".

Warnings or important notes appear in a box like this.

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an e-mail to [email protected], and mention the book title via the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

(17)

Preface

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book.

If you find any errata, please report them by visiting http://www.packtpub.com/

submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.

Piracy

Piracy of copyright material on the Internet is an ongoing problem across all media.

At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors, and our ability to bring you valuable content.

Questions

You can contact us at [email protected] if you are having a problem with any aspect of the book, and we will do our best to address it.

(18)

Lab Setup

In this chapter we are going to demonstrate the complete lab setup needed for the practical, hands-on working experience with this book. To set up the lab we need three things: Oracle VM VirtualBox, Microsoft Windows XP SP2, and BackTrack 5 R2.

Oracle VM VirtualBox is a product of Sun Microsystems. It is a software

virtualization application and is used for running multiple operating systems on a single computer. It supports many operating systems including Linux, Macintosh, Sun Solaris, BSD, and OS/2. Each virtual machine can execute its own operating system in parallel with the host operating system. It also supports Network adapters, USB devices, and Physical disk drives within a virtual machine.

Microsoft Windows XP is an operating system produced by the Microsoft Corporation. It is primarily used for personal computers and laptops.

BackTrack is a Linux-based freeware operating system. It is widely used by security professionals and penetration testers. It consists of a lot of open source tools for penetration testing and digital forensics.

Now we will install both operating systems in Oracle VM VirtualBox, and use BackTrack as an attacker machine and Windows XP as the victim machine.

(19)

Lab Setup

Installing Oracle VM VirtualBox

The steps for installing Oracle VM VirtualBox are:

1. First, run the setup file to start the installation procedure and then click on Next >.

2. Now choose the installation directory where you want to install and click on Next >.

(20)

Chapter 1

[ 7 ]

3. Select the shortcut option if you want to create a shortcut icon on the desktop or in the launch bar and then click on Next >.

4. It will then reset the network connectivity and display a warning sign; click on Yes and continue the installation of the wizard.

(21)

Lab Setup

5. The setup wizard is ready for the installation, click on Install to continue.

6. The setup has started the installation and it will take several minutes to complete.

7. Now it will ask to install the USB device driver, click on Install to install the driver software.

(22)

Chapter 1

[ 9 ]

8. After a few minutes the installation wizard is finished and Oracle VM VirtualBox is ready for use. Click on Finish.

(23)

Lab Setup

Installing WindowsXP on Oracle VM VirtualBox

Now we are going to install Windows XP SP2 in VirtualBox. Just perform the following steps for successful installation:

1. First, launch your VirtualBox and click on New.

2. You will get a new window with the message Welcome to the New Virtual Machine Wizard; click on Next.

3. You will get a new window showing memory options, here we will need to specify the amount of base memory (RAM) for our virtual machine. Select the amount of memory and then click on Next.

(24)

Chapter 1

[ 11 ]

4. After this we will get a new window with the option to create a virtual hard disk. Here we will select Create new hard disk and click on Next.

(25)

Lab Setup

5. We then get a new window with the message Welcome to the Virtual disk creation wizard. Here we have some options for the hard disk file type; we select VDI (VirtualBox Disk Image). You may select another type of file, but VDI is recommended for best performance. After selecting the file type, click on Next.

6. We then see a new window named Virtual disk storage details. In this window we can see details of the two types of storage: Dynamically allocated and Fixed size. The details of these two types of storage are mentioned in this window. So it depends upon the user as to what kind of storage he may prefer.

In this case we will select Dynamically allocated; click on Next to continue.

(26)

Chapter 1

[ 13 ]

7. Now we will get a new window with options for the Location and Size of the virtual disk file. We choose the location where we want to create the file for the virtual disk. After that, select the size for your virtual disk. In this case we are specifying 10 GB space for virtual disk. Then click on Next to continue.

(27)

Lab Setup

8. We then get a new window with the summary of our virtual machine settings. In this window we can check the settings we previously provided for our virtual machine, such as the file type of our hard disk, storage details, location details, and the size of our hard disk. After checking the settings we then click Create.

9. We get the Summary window which will show us that it is going to create our virtual machine with the following parameters: name of the virtual machine, type of operating system, base memory (RAM), and the size of the hard disk. After verifying all of the settings, click on Create to create the virtual machine.

10. Now Oracle VM VirtualBox Manager will open, and it will show the virtual machine in the right pane. Select that virtual machine and click on Start to start the installation process for Windows XP.

(28)

Chapter 1

[ 15 ]

11. A new window will appear with the message Welcome to the First Run Wizard! Click on Next to begin.

(29)

Lab Setup

12. Now a new window will appear with the option of selecting the source installation media. This option allows us to select the ISO image of

Windows XP or the DVD-ROM drive to install from the CD/DVD. Select the appropriate option and then click on Next.

13. A new Summary window will open and it will show the type of media that was selected for installation, the media source, and the type of device. Click on Start.

(30)

Chapter 1

[ 17 ]

14. Windows XP installation will start and a blue screen appears with the message Windows Setup on the upper-left side.

15. Now we will get a new window with the message Welcome to setup. Here we can see three options, the first option is To set up Windows XP now, press ENTER.

(31)

Lab Setup

16. We will then be prompted to agree to the Windows XP license; press F8 to accept.

17. After accepting the agreement we will see the unpartitioned space dialog. We will need to create partitions from this unpartitioned space. Select the second option To create partition in the unpartitioned space, press C.

18. After pressing C, the next step is to set the size of the new partition and then press Enter.

(32)

Chapter 1

[ 19 ]

19. After creating the new partition, we can now see three options here; select the first option To set up Windows XP on the selected item, press ENTER to continue.

(33)

Lab Setup

20. Now we have to format the selected partition before continuing the installation process. Here we see four options for formatting and select the first option which is Format the partition using the NTFS file system (Quick) and press Enter.

21. Now setup will format the partition.

(34)

Chapter 1

[ 21 ]

22. After formatting the partition, the setup will copy the Windows files.

23. After copying the Windows files it will restart your virtual machine after 10 seconds, or press ENTER for immediate restart.

(35)

Lab Setup

24. After restarting the virtual machine you will see the Windows XP boot screen.

25. The Windows installation process will start and will take approximately 40 minutes to complete.

26. Now a new window will appear for Regional and language Options, just click on Next >.

27. After that a new window will appear asking for your Name and Organization name; enter these details and click on Next >.

(36)

Chapter 1

[ 23 ]

28. A new window will appear asking for the Product Key; enter the key and click on Next >.

(37)

Lab Setup

29. The next wizard will ask for a Computer name and Administrator password, enter these details and click on Next >.

30. This will be followed by a screen to enter the date, time, and time zone settings. Select the time zone according to your country, enter the date and time, and then click on Next >.

(38)

Chapter 1

[ 25 ]

31. We will see the installation screen again, with Installing Network settings.

(39)

Lab Setup

32. A new window will prompt us to choose the network settings. Select Typical settings. If we want to configure our network settings manually, we can select Custom settings and then click on Next >.

33. The wizard will ask if we want to make the computer a member of the workgroup or domain. For our lab we select WORKGROUP and click on Next >.

(40)

Chapter 1

[ 27 ]

34. We will then see the Windows XP boot screen.

35. After Windows XP has booted, we will see a message Welcome to Microsoft Windows. To continue, click on Next.

36. The wizard will ask us whether or not to turn on the automatic updates.

Make the selection according to your preference and then click on Next.

(41)

Lab Setup

37. The next wizard will ask about internet connectivity; we suggest you skip it by clicking on Skip.

38. Now the wizard will ask about online registration; we do not want to register, so we select the second option and click on Next.

(42)

Chapter 1

[ 29 ]

39. Next the wizard will ask for the usernames of the people who will use this computer. Enter the names and click on Next.

(43)

Lab Setup

40. You will see a Thank You message; click on Finish.

41. Now your Windows XP installation is ready for use.

(44)

Chapter 1

[ 31 ]

Installing BackTrack5 R2 on Oracle VM Virtual Box

Now we are going to install BackTrack 5 R2 on Virtual Box. Perform the following steps:

1. First, launch your Oracle VM Virtual Box.

2. A new window will appear with the message Welcome to the New Virtual Machine Wizard; click on Next.

(45)

Lab Setup

3. We follow the same process which we followed during our Windows XP virtual machine creation for the BackTrack virtual machine setup. Our BackTrack machine will be set up and the summary displayed as shown in the following screenshot. Click on Create:

4. Now Oracle VM VirtualBox Manager will open and will show the new virtual machine in the right pane. Select that virtual machine and click on Start to start the installation process of BackTrack 5.

(46)

Chapter 1

[ 33 ]

5. A new window will appear with the message Welcome to the First Run Wizard!; click on Next to begin.

6. A new window will appear with options for selecting source installation media. Select the ISO image of BackTrack 5 or the DVD Rom drive to install from CD/DVD, and then click on Next.

(47)

Lab Setup

7. A new Summary window will open, and it will show the type of media that was selected for installation, the media source, and the type of device; now click on Start.

8. We will see a black boot screen; just press Enter.

(48)

Chapter 1

[ 35 ]

9. The BackTrack boot screen with a command-line interface will appear, showing the prompt: root@bt:~#; type ^startx as the value of this command and press Enter.

(49)

Lab Setup

10. Now the BackTrack GUI interface will start and we will see an icon named Install BackTrack. We will have to click on that icon to continue the installation process.

11. After that, the installation wizard will start. Select the language and click on Forward.

(50)

Chapter 1

[ 37 ]

12. The installation wizard will automatically set the time from the network time server.

13. Select the Time Zone and Region, and click on Forward.

14. The next wizard will ask for the Keyboard layout. Select the appropriate layout according to your language and click on Forward.

(51)

Lab Setup

15. The disk partition wizard will appear. Just use the default settings and click on Forward.

16. Now click on Install.

(52)

Chapter 1

[ 39 ]

17. The setup will start copying files. It will take approximately 40 minutes to complete the installation.

18. After finishing the installation, just click on Restart, and now the BackTrack installation is ready for use.

(53)

Lab Setup

Summary

In this lab setup we have set up the victim and attacker machines, which we will use for our practical sessions. The next chapter will cover the Metasploit framework organization, the basics, architecture, and a brief introduction to it.

(54)

Metasploit Framework Organization

In this chapter we will investigate the organization of Metasploit Framework.

Metasploit Framework is an open source project created by HD Moore in 2003, and then acquired by Rapid7 LLC on October 21, 2009. Metasploit 2.0 was released in April 2004 and this version included 19 exploits with over 27 payloads. There has been constant development since then and now we have Metasploit 4.5.2, which includes hundreds of exploits and payloads. Moore created this framework for exploit code development and attacking vulnerable remote systems. It is considered one of the best penetration testing tools with support for vulnerability assessment using Nessus and other famous tools. The development of this project started off in Perl and was later rewritten in Ruby. Since its acquisition, Rapid7 has added two more proprietary editions known as Metasploit Express and Metasploit Pro. Metasploit supports all platforms including Windows, Linux, and Mac OS.

(55)

Metasploit Framework Organization

Metasploit interfaces and basics

First we will see how to access Metasploit Framework from terminal and in other ways. Open your terminal and type in msfconsole. In the terminal it will appear as root@bt:~# msfconsole.

Now we have opened msfconsole from the terminal program; however there are other ways in which we can access Metasploit Framework, these include MsfGUI, Msfconsole, Msfcli, Msfweb, Metasploit Pro, and Armitage. For our purposes, in this book we will use msfconsole for the most part.

So how is Metasploit really organized? We can see many interfaces here. We will look at details of the architecture as we dig deeper into the various aspects of Metasploit. Now the important thing we need to understand is the overall architecture. The architecture is open source, and this allows you to create your own modules, scripts, and many other interesting things in Metasploit.

(56)

Chapter 2

[ 43 ] The library architecture in Metasploit is as follows:

• Rex: This is the basic library used in Metasploit for various protocols, transformations, and socket handling. It supports SSL, SMB, HTTP, XOR, Base64, and random text.

• Msf::Core: This library defines the framework and provides the basic application interface for Metasploit.

• Msf::Base: This library provides a simplified and friendly application interface for the Metasploit Framework.

Now we will explore the Metasploit directory a little more. Just follow these steps to explore the directory:

1. Open your BackTrack5 R2 virtual machine and your terminal. Type cd /opt/metasploit/msf3 and then press Enter. Now we have entered the Metasploit Framework directory. To view the list of files and directories in the Metasploit directory type in ls.

(57)

2. After typing the ls command we can see a bunch of directories and scripts here. The important directories listed are data, external, tools, plugins, and scripts.

We will explore all of these important directories one-by-one:

• We enter the data directory by typing the command cd data/. This directory contains a lot of helper modules such as meterpreter, exploits, wordlists, templates, and many more.

° Next we will explore the meterpreter directory. To enter the

directory, type in cd meterpreter/ and we will see many .dll files.

Actually it contains .dll files as well as other interesting things, which are typically required to enable the Meterpreter functionality called post exploitation. As an example we can see different types of DLL files here, such as OLE, Java version, PHP version, and so on.

(58)

Chapter 2

[ 45 ]

° Another directory is the wordlist directory in the data directory.

This directory contains the list of usernames and passwords for different services such as HTTP, Oracle, Postgres, VNC, SNMP, and more. Let us explore the wordlist directory, type in cd .. and press Enter to get back into the data directory from the meterpreter directory. After that, type in cd wordlists and press Enter.

(59)

• Another interesting directory is external in msf3, which contains external libraries used by Metasploit. Let us explore the external directory by typing cd external.

(60)

Chapter 2

[ 47 ]

• Then have a look at the scripts directory, which is contained in the msf3 directory. This directory contains a lot of scripts that are used by Metasploit.

To enter the scripts directory type in cd scripts and then type in the ls command to view the list of files and folders.

• Another important directory in msf3 is the tools directory. This directory contains tools to be used in exploitation. We will explore the tools directory by typing in cd tools and then the ls command to see the list of tools such as pattern_create.rb and pattern_offset.rb, which are extremely useful for exploit research.

(61)

• The last useful directory is plugins in the msf3 directory. The plugins directory contains plugins for integrating third-party tools such as nessus plugins, nexpose plugins, wmap plugins, and other plugins with Metasploit.

Let us have a look at the plugins directory by typing cd plugins and then the ls command to see the list of plugins.

From the preceding explanation, we now have a brief understanding of the

directory structure of Metasploit and its functions. One important thing is to update Metasploit to have the latest versions of the exploits. Open your terminal and type in msfupdate. It may take a few hours to update the latest modules.

(62)

Chapter 2

[ 49 ]

Exploit modules

Before moving to the exploitation techniques, first we should understand the basic concepts of an exploit. An exploit is a computer program that takes advantage of a particular vulnerability.

Now look at the exploit modules in the modules directory of msf3. Open your terminal and type in cd /opt/metasploit/msf3/modules/exploits followed by the ls command to see the list of exploits.

Here we can see the list of exploit modules. Basically exploits are categorized on the basis of operating systems. So let us look at the windows directory of exploit modules by typing cd windows.

(63)

In the windows directory we can see a lot of exploit modules which are categorized according to the Windows services such as ftp, smb, telnet, browser, email, and more. Here we will show you one type of service exploit by exploring a directory.

As an example we select smb.

We see the list of smb service exploits which are basically Ruby scripts. So to view the code of any exploit we type in cat <exploitname>. As an example here we select ms08_067_netapi.rb. So we type in cat ms08_067_netapi.rb.

(64)

Chapter 2

[ 51 ]

Auxiliary modules

Auxiliary modules are exploits without payload. They are used for a variety of tasks such as port scanning, fingerprinting, service scanners, and more. There are different types of auxiliary modules such as scanners for protocols, Network protocol fuzzers, Port scanner modules, wireless, Denial of Service modules, Server modules, Administrative access exploits, and so on.

Now let us explore the auxiliary modules directory under the msf directory. Type cd /opt/metasploit/msf3/modules/auxiliary and then the ls command to view the list of auxiliary modules.

Here we can see the list of auxiliary modules such as admin, client, fuzzers, scanner, vsploit, and more. Now we will explore the scanner directory as an auxiliary module.

(65)

In the scanner directory we will see modules that are categorized according to the service scans. We can select any service module for exploration. Here we will select ftp as the scanner module.

In the ftp directory we can see three Ruby scripts. To view the exploit Ruby code just type in cat <module name>; for example, here we would type cat anonymous.rb.

(66)

Chapter 2

[ 53 ]

Payloads – in-depth

A payload is a piece of software that runs after a system is compromised. The payload is typically attached to and delivered with an exploit. There are three different types of payloads in Metasploit, which are singles, stagers, and stages. The main role of Stages payloads is that they use tiny stagers to fit into small

exploitation spaces. During exploitation, an exploit developer has a very limited amount of memory that he can play with. The stagers use this space and their work is to pull down the rest of the staged payload. On the other hand, singles are self- contained and completely standalone. It is as simple as running a small executable.

Let us have a look at the payloadmodules directory in the following screenshot:

Singles are self-contained payloads for a specific task such as creating a user, binding a shell, and so on. As an example, the windows/adduser payload creates a user account. Now we will explore the singles payload directory. Here we will see that the payloads are categorized according to operating systems such as AIX, BSD, Windows, Linux, and so on.

(67)

We will use the windows directory as a demonstration of how the payload works.

We will use the adduser payload, which has already been explained. We can view the code of this payload by typing in cat adduser.rb.

Stagers are payloads that make a connection between the attacker and the victim machine. As an example, if we want to inject a meterpreter payload we cannot fit the entire Meterpreter DLL into one payload, so the entire process is broken up into two parts. The first is the smaller payload called stagers. After the stagers are executed they make a network connection between the attacker and the victim. Over this network connection a larger payload is delivered to the victim machine and this larger payload is known as stages.

(68)

Chapter 2

[ 55 ]

We will now explore the stagers payload directory. As we can see in the following screenshot, the payloads are categorized according to the different operating systems:

As an example we will explore the bsd directory and examine the list of payloads.

Stages are the type of payload that are downloaded and executed by the stagers payload such as Meterpreter, VNC server, and so on.

(69)

Now we will explore the stages directory to view the list of payloads.

Here we have the same result we saw in the singles and stagers directory; the payloads are categorized according to the different operating systems. We open the netware directory to view the list.

(70)

Chapter 2

[ 57 ]

Summary

In this chapter we covered the different interfaces and the architecture of Metasploit Framework. The chapter flow included operation techniques of Metasploit followed by the architectural base. We further covered the various Metasploit libraries and application interfaces such as Rex, Msf core, and Msf base. We then explored the Metasploit directories deeply along with descriptions of the important ones.

We then moved on to the exploit directory and briefly explained how exploits are categorized according to operating systems and their services. We then moved to the auxiliary directory, and explored how auxiliary modules are classified according to services such as scanning and fuzzing.

Another important directory we covered was the payload directory which shows how the payloads are categorized into three different types. We further classified the payloads according to operating system.

Through this chapter we were able to cover the description of the basic Metasploit Framework and architecture. In the next chapter we will start some hands on action with Exploitation basics.

(71)

References

The following are some helpful references that shed further light on some of the topics covered in this chapter:

• http://en.wikipedia.org/wiki/Metasploit_Project

• http://www.offensive-security.com/metasploit-unleashed/

Metasploit_Architecture

• http://www.offensive-security.com/metasploit-unleashed/

Metasploit_Fundamentals

• http://www.offensive-security.com/metasploit-unleashed/Exploits

• http://www.offensive-security.com/metasploit-unleashed/Payloads

• http://www.securitytube.net/video/2635

• http://metasploit.hackplanet.in/2012/07/architecture-of- metasploit.html

(72)

Exploitation Basics

Exploitation refers to the art of compromising a computer system. The basics of computer exploitation involves a deep understanding of the vulnerabilities and payloads. An exploit is a piece of well-written code, compiled and executed on a targeted system, which may compromise that system. An exploit usually targets a known vulnerability, a flaw in a service or a poorly written code. In this chapter, we will discuss the basics of how to find vulnerable systems and then exploit them.

Basic terms of exploitation

The basic terms of exploitation are explained as follows:

• Vulnerability: A vulnerability is a security hole in software or hardware, which allows an attacker to compromise a system. A vulnerability can be as simple as a weak password or as complex as a Denial of Service attack.

• Exploit: An exploit refers to a well-known security flaw or bug with which a hacker gains entry into a system. An exploit is the actual code with which an attacker takes advantage of a particular vulnerability.

• Payload: Once an exploit executes on the vulnerable system and the system has been compromised, the payload enables us to control the system.

The payload is typically attached to the exploit and delivered.

(73)

Exploitation Basics

• Shellcode: This is a set of instructions usually used as a payload when the exploitation occurs.

• Listener: A listener works as component waiting for an incoming connection.

Vulnerability Exploit Payload

How does exploitation work?

We consider the scenario of a computer lab in which we have two students doing work on their computers. After some time one of the students goes out for a coffee break and he responsibly locks down his computer. The password for that particular locked computer is Apple, which is a very simple dictionary word and is a system vulnerability. The other student starts to attempt a password guessing attack against the system of the student who left the lab. This is a classic example of an exploit. The controls that help the malicious user to control the system after successfully logging in to the computer are called the payload.

We now come to the bigger question of how exploitation actually works. An attacker basically sends an exploit with an attached payload to the vulnerable system. The exploit runs first and if it succeeds, the actual code of the payload runs. After the payload runs, the attacker gets fully privileged access to the vulnerable system, and then he may download data, upload malware, virus', backdoors, or whatever he wants.

(74)

Chapter 3

[ 61 ]

How does exploitation work

attacker

vulnerable server Exploit + Payload

1

Exploit run, then payload run 2

Upload/Download 3 Data

A typical process for compromising a system

For compromising any system, the first step is to scan the IP address to find open ports and its operating system and services. Then we move on to identifying a vulnerable service and finding an exploit in Metasploit for that particular service.

If the exploit is not available in Metasploit, we will go through the Internet databases such as www.securityfocus.com, www.exploitdb.com, www.1337day.com, and so on. After successfully finding an exploit, we launch the exploit and compromise the system.

The tools that are commonly used for port scanning are Nmap (Network Mapper), Autoscan, Unicorn Scan, and so on. For example, here we are using Nmap for scanning to show open ports and their services.

(75)

First open the terminal in your BackTrack virtual machine. Type in nmap –v –n 192.168.0.103 and press Enter to scan. We use the –v parameter to get verbose output and the –n parameter to disable reverse DNS resolutions.

Here we can see the results of Nmap, showing three open ports with their services running on them. If we need more detailed information such as the service version or Operating System type, we have to perform an intense scan using Nmap. For an intense scan, we use the command nmap –T4 –A –v 192.168.0.103. This shows us the complete results of the service version and the Operating System type.

(76)

Chapter 3

[ 63 ]

The next step is to find an exploit according to the service or its version. Here, we can see that the first service running on port number 135 is msrpc, which is known as Microsoft Windows RPC. Now we will learn how to find an exploit for this particular service in Metasploit. Let's open our terminal and type in msfconsole to start Metasploit. On typing in search dcom, it searches all of the Windows RPC related exploits in its database.

(77)

In the following screenshot, we can see the exploit with its description and also the release date of this vulnerability. We are presented with a list of exploits according to their rank. From the three exploits related to this vulnerability, we select the first one since it is the most effective exploit with the highest rank. Now we have learned the technique of searching for an exploit in Metasploit through the search <service name> command.

Finding exploits from online databases

If the exploit is not available in Metasploit, then we have to search the Internet exploit databases for that particular exploit. Now we will learn how to search for an exploit on these online services such as www.1337day.com. We open the website and click on the Search tab. As an example, we will search for exploits on the Windows RPC service.

(78)

Chapter 3

[ 65 ]

Now we have to download and save a particular exploit. For this, just click on the exploit you need.

After clicking on the exploit it shows the description of that exploit .Click on Open material to view or save the exploit.

(79)

The usage of this exploit is provided as a part of the documentation in the exploit code as marked in the following screenshot:

Now we will be exploiting our target machine with the particular exploit that we have downloaded. We have already scanned the IP address and found three open ports. The next step would be to exploit one of those ports. As an example, we will target the port number 135 service running on this target machine, which is msrpc. Let us start by compiling the downloaded exploit code. To compile the code, launch the terminal and type in gcc <exploit name with path> -o<exploitname>. For example, here we are typing gcc –dcom –o dcom.

(80)

Chapter 3

[ 67 ]

After compiling the exploit we have a binary file of that exploit, which we use to exploit the target by running the file in the terminal by typing in ./<filename>.

(81)

From the preceding screenshot, we can see the requirements for exploiting the target.

It requires the target IP address and the ID (Windows version). Let's have a look at our target IP address.

We have the target IP address, so let's start the attack. Type in ./dcom 6 192.168.174.129.

(82)

Chapter 3

[ 69 ]

The target has been exploited and we already have the command shell. Now we check the IP address of the victim machine. Type in ipconfig.

The target has been compromised and we have actually gained access to it.

Now we will see how to use the internal exploits of Metasploit. We have already scanned an IP address and found three open ports. This time we target port number 445, which runs the Microsoft-ds service.

Let us start by selecting an exploit. Launch msfconsole, type in use exploit/

windows/smb/ms08_067_netapi, and press Enter.

(83)

The next step will be to check the options for an exploit and what it requires in order to perform a successful exploitation. We type in show options and it will show us the requirements. We would need to set RHOST (remote host), which is the target IP address, and let the other options keep their default values.

We set up the RHOST or the target address by typing in set RHOST 192.168.0.103.

After setting up the options, we are all set to exploit our target. Typing in exploit will give us the Meterpreter shell.

(84)

Chapter 3

[ 71 ]

Summary

In this chapter, we covered the basics of vulnerability, a payload, and some tips on the art of exploitation. We also covered the techniques of how to search for vulnerable services and further query the Metasploit database for an exploit. These exploits were then used to compromise the vulnerable system. We also demonstrated the art of searching for exploits in Internet databases, which contain zero-day exploits on software and services. In the next chapter, we will be covering Meterpreter basics and in-depth tactics on exploitation.

References

The following are some helpful references that shed further light on some of the topics covered in this chapter:

• http://www.securitytube.net/video/1175

• http://resources.infosecinstitute.com/system-exploitation- metasploit/

(85)

(86)

Meterpreter Basics

Meterpreter is one of the spearheads in the Metasploit Framework. It is used as a payload post exploitation of a vulnerable system. It uses in-memory DLL Injection Stagers and is extended over the network at runtime. In-memory DLL, Injection is a technique used for injecting code within the address space of a currently running process by forcing it to load a DLL (Dynamic-link library) file. Once an exploit is triggered and the Meterpreter is used as a payload, we get a Meterpreter shell for the compromised system. The uniqueness of its attack vector lies in its stealth feature. It does not create any files on the hard disk but just attaches itself to an active process in memory. The client-server intercommunication takes place using the Type Length Value Format and is encrypted. Within data communication protocols, optional information may be encoded as a type-length-value or TLV element inside the protocol. Here, Type indicates the kind of field that is a part of the message, Length indicates the size of the value field and Value indicates the variable-sized series of bytes, which contain data for this part of the message. This single payload is very effective with its multiple capabilities, which helps in acquiring password hashes of a victim machine, running a keylogger, and privilege escalation. The stealth feature makes it undetectable to many antivirus and host-based intrusion detection systems.

Meterpreter also has the capability to switch between different processes to which it gets attached through DLL Injection, and stays by clinging to running applications on the compromised host rather than creating files on the system.

In the previous chapter, we compromised a system to get the reverse connection for the Meterpreter. Now we will discuss the functionalities we can use over the compromised system post exploitation, such as the working of the Meterpreter and the Meterpreter in action.

(87)

Meterpreter Basics

Working of the Meterpreter

Once a system is compromised, we (the attacker) send a first-stage payload to the affected system. This payload connects back to the Meterpreter. Then a second DLL Injection Payload is sent followed by the Meterpreter Server DLL. This establishes a socket and a client-server communication can take place through the Meterpreter session. The best part of this session is that it is encrypted. This offers confidentiality and hence a session may not be sniffed by any network administrator.

Exploit + 1st Stage Payload

Payload Connect Back To MSF

Client and Server Communicate 2nd Stage DLL

Injection Payload Sent

MSF Sends Meterpreter DLL

Meterpreter in action

In Chapter 3, Exploitation Basics, we were able to exploit the victim machine and get a Meterpreter session from it. Now we will use this Meterpreter session to leverage the various functionalities of the Metasploit Framework.

(88)

Chapter 4

[ 75 ]

We will now display all the weapons of attack that Meterpreter hosts. For this, enter help.

In the preceding screenshot, we see all of the Meterpreter commands that can be used on the compromised system.

(89)

We have a few classified commands based on their usage; they are listed as follows:

Command type Command name Description

Process listing getuid It gets the system ID and the name of the computer.

kill It terminates a process.

ps It lists the running processes.

getpid It gets the current process identifier.

Keylog Usage keyscan_start It starts the keylogging session.

keyscan_stop It stops the keylogging session.

keyscan_dump It dumps the keystrokes captured from the victim machine.

Session enumdesktops It lists all of the accessible desktops and workstations.

getdesktop It gets the current Meterpreter desktop.

setdesktop It changes the Meterpreter's current desktop.

Sniffer Functions use sniffer It loads the sniffer functions.

sniffer_start It starts the sniffer for the interface.

sniffer_dump It dumps the network capture of the victim machine locally.

sniffer_stop It stops the sniffer for the interface.

Webcam Commands webcam_list It lists all of the webcams of the system.

webcam_snap It captures snapshots of the victim machine

record_mic It records the sound of the environment from the default microphone on the machine

(90)

Chapter 4

[ 77 ]

Now we will start the penetration testing procedure and perform the first step by starting to gather information about our victim machine. Type sysinfo to check the system information.

We can see the system information in the preceding screenshot, the computer name and the operating system used by the victim. Now we will capture a screenshot of the victim machine. For this, type in screenshot.

(91)

We can see the victim machine's screenshot as follows:

Let us check the list of all of the processes that are running on the victim machine.

For this just type ps and it will show the running processes.

(92)

Chapter 4

[ 79 ]

In the preceding screenshot, we can see the process list, with detailed information.

The first column shows the PID, which means process ID and the second column shows the process name. The next column shows the architecture of the system, the user, and the path from where the process is running.

In the process list, we have to find the process ID for explorer.exe and then migrate with that process ID. For migrating with any process ID, we have to type migrate

<PID>. Here, we are migrating with explorer.exe, so we type in migrate 1512.

After migrating with a process, we then identify the current process. For this, type in getpid.

(93)

We can see the current process ID from which we have migrated to the victim machine.

Next, we move on to some real hacking stuff by using the keylogger service on the victim machine. We type in keyscan_start and the keylogger will start and wait for a few minutes to capture the keystrokes of the victim machine.

The victim has started to type something in the Notepad. Let us check if we have the capture.

Now, let us stop the keylogger service and dump all of the keystroke logs from the victim machine. For this, type keyscan_dump and then type keyscan_stop to stop the keylogger service. You can see in the following screenshot that we have the exact capture. Bravo!

(94)

Chapter 4

[ 81 ]

Let's try some more interesting activities in our Meterpreter session. Let's check whether the victim's machine has a webcam available or not. For that, we type in webcam_list and it displays the webcam list from the victim machine. In the following screenshot, we can see that a webcam is available.

(95)

Thus we know that the victim has an integrated webcam. So let's capture a snapshot of the victim from his/her webcam. Just type in webcam_snap.

In the previous screenshot, we can see that the webcam shot has been saved to the root directory and the image is named yxGSMosP.jpeg. So let us verify the captured image in the root directory.

(96)

Chapter 4

[ 83 ]

After that, we will check the system ID and the name of the victim machine. Type in getuid.

After playing with the victim machine, now it is time for some serious stuff. We are going to access the victim's command shell to control his/her system. For this, just type in shell and it will open a new command prompt for you.

(97)

Now let us make a directory on the victim machine. Type in mkdir

<directory name>. We are creating a directory named hacked in C:\Documents and Settings\Victim.

Let us verify whether the directory has been created or not under C:\Documents and Settings\Victim.

(98)

Chapter 4

[ 85 ]

Now we are going to shut down the victim computer by displaying a message on his screen. For this, type in shutdown –s –t 15 -c "YOU ARE HACKED". In the following command, the syntax we are using is: –s for shutdown, –t 15 for timeout, and –c for a message or comment.

Let's see what happened on the victim machine.

Learning Metasploit Exploitation and Development

Learning Metasploit Exploitation and Development

Develop advanced exploits and modules with a fast-paced, practical learning guide to protect what's most important to your organization, all using the Metasploit Framework

Aditya Balapure

Learning Metasploit Exploitation and Development

Credits

About the Author

Aditya Balapure

About the Reviewers

Kubilay Onur Gungor

Abhinav Singh

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Table of Contents

Preface 1

Chapter 1: Lab Setup 5

Chapter 2: Metasploit Framework Organization 41

Chapter 3: Exploitation Basics 59

Chapter 4: Meterpreter Basics 73

Chapter 5: Vulnerability Scanning and Information Gathering 87

Chapter 6: Client-side Exploitation 119

Chapter 7: Post Exploitation 135

Chapter 8: Post Exploitation – Privilege Escalation 151

Chapter 9: Post Exploitation – Cleaning Up Traces 161

Chapter 10: Post Exploitation – Backdoors 179

Chapter 11: Post Exploitation – Pivoting and Network Sniffing 205

Chapter 12: Exploit Research with Metasploit 223

Chapter 13: Using Social Engineering Toolkit and Armitage 243

Index 273

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

Lab Setup

Installing Oracle VM VirtualBox

Installing WindowsXP on Oracle VM VirtualBox

Installing BackTrack5 R2 on Oracle VM Virtual Box

Summary

Metasploit Framework Organization

Metasploit interfaces and basics

Exploit modules

Auxiliary modules

Payloads – in-depth

Summary

References

Exploitation Basics

Basic terms of exploitation

How does exploitation work?

A typical process for compromising a system

Finding exploits from online databases

Summary

References

Meterpreter Basics

Working of the Meterpreter

Meterpreter in action