Nothing to hand in.
This lab is a quick tour through a simple example of how to use exploits and payloads in Metasploit.
When you're hunting for vulnerabilities on a target system, you can end up collecting a lot of information. To help you keep track, Metasploit supports a database that automatically populates with what the information you uncover. To start using the Metasploit database, here's what you do.
Most of the rest of your work will take place in the Metasploit Framework Console, a command-line interface. Just run this in a terminal:
From here on out, unless I specify otherwise, all commands are to be issued at the msfconsole prompt.
You can separate your msfconsole and database collections into "workspaces" to help you keep track of different projects. Create a new workspace:
You can take a look at the available workspaces:
or switch between workspaces:
Do our nmap-based approach to host discovery, storing the results in the Metasploit database. (I'm assuming that your Metasploitable VM is at a 10.0.2.* address.)
Now you can take a look at the hosts discovered:
Suppose you want to do an "aggressive" scan of 10.0.2.4 for open ports and the services running on them.
Once that scan is complete, you can take a look at the services that the scan discovered:
Now that you have a list of services on the target machine, you can use that list to investigate possible attacks. There are more sophisticated ways to do this, but let's start simple: we'll google for exploits.
Note that an exploit is a piece of code that runs on our own machine and attempts to take advantage of a bug in some server software to enable us to do something to the target machine. When we run an exploit, we usually provide the exploit with a payload, that is, a piece of software that will run on the target machine to accomplish our goals. A very common (and desirable) payload type is a shell--that is an interface through which we can execute arbitrary commands on the target system.
In our case, when I ran a port scan on 10.0.2.4 (my Metasploitable's IP address) and then looked at the available services, one of the services I saw was a version of the Samba file server software:
Googling for "Samba smbd 3.X - 4.X workgroup: WORKGROUP vulnerabilities", I found myself at this Rapid7 vulnerability database page (note that Rapid7 owns and maintains the Metasploit project). This page tells me to try the "exploit/multi/samba/usermap_script" module. So:
This causes my msfconsole prompt to reflect the module I'm currently using:
Once I'm using a particular exploit, I need to set up its parameters, known in Metasploit as options. First step, see what those options are:
This gives me a listing like this:
The RHOST option obviously needs to be set, to tell the exploit what IP address we're attacking. Assuming 10.0.2.4 is my target machine's IP:
Then run "show options" again to see if things are set the way you want them.
Next up, find out what payloads Metasploit has that are compatible with our exploit:
In this case, we get a long list of possible payloads. One of the command-shell payloads listed is "cmd/unix/reverse" (where "reverse" refers to a "reverse TCP shell" in which the payload running on the target machine initiates a TCP connection with our attacking machine rather than the other way around). To set up the payload:
Then see what options the payload requires:
The required-but-unset option we see now is LHOST. Using my attacking machine's IP address:
we're all set to try out the attack.
Do you get a shell? The exploit's own logging message might tell you yes or no. If you do, it's likely you won't see a prompt. So just try a Unix command like "ls -l" or something.