Friday, April 25, 2014

Exploitation Through Metasploit

Exploitation is the main part of penetration testing many security professionals’ careers. The ability to gain full control over a targeted machine is a great feeling. Various system and network protections have made it increasingly more difficult to succeed with basic exploits. So we need to know advance exploitation.

In this article, we move into more difficult attack methods, beginning with command-line interfaces to the Metasploit Framework. Most of the attacks and customizations discussed in this article will occur in msfconsole, msfencode, and msfpayload.

Before you begin to exploit systems, we need to understand a few things about penetration testing and exploitation.

Basic Exploitation:-

The Metasploit Framework contains hundreds of modules, and it’s impossible to remember them all. So we use "show" command from msfconsole. We will display every module available in the Framework.

msf> show exploits

Exploits operate against the vulnerabilities that you discover during a penetration test. New exploits are always being developed. And the list will continue to grow. This command will display every currently available exploit within the Framework.

We can search particular exploits. See bellow examples.

Example: if you want to launch an attack against SQL. You could search for SQL like this:

#msf > search mssql 

We can search other exploit like ms08_067. Choosing exploit is main thing during exploitations. If you are choosing wrong exploit, then you cannot success for you exploitation. So be careful for choosing exploit.

If module is found you could load the found module with the use command as shown bellow

 msf> show auxiliary
Auxiliary modules in Metasploit can be used for a wide range of purposes. They can operate as scanners, denial-of-service modules, fuzzers, and much more. This command will display all auxiliary models and list their features.

msf> show options

Before we go for show options command, we need to set our module. After set module we can use show options command, and it display all options that can be set by us.Metasploit will display only the options that apply to that particular module.

msf> show payloads

When you run show payloads from a module specific prompt. Metasploit displays only the payloads that are compatible with that module. To see an active list of payloads, run the following command.

#show payload 

This would show you all payloads available in Metasploit. However, if you are in an actual exploit, you will see only payloads applicable to the attack. You cannot use other payload against target. So be carefully.

For example: running show payloads from the msf exploit(ms08_067_netapi) prompt would result in the output shown above screenshot.

Next step is choosing your payload from above list. We just use windows/shell/reverse_tcp for target. So let’s do that.

When we enter show options again we see that additional options are shown bellow

Notice that when the payload is selected and the options are displayed. We are presented with some additional options in the payload Section such as LHOST and LPORT. In this example, you could configure the payload to connect back to the attacker machine on a specific IP address and port number, called a reverse payload.

          In reverse payloads, the connection is actually triggered by the target machine and it connects to the attacker. You might use this technique to bypass a firewall or NAT installation. So we need to set LHOST and LPORT which is our ip address and port.

msf> show targets

Using the show targets command at MS08-067, prompt displays a list of exploit targets. The success of the exploit will depend on the version of Windows you are targeting. Sometimes automatic detection will not work and could even trigger the wrong exploit, which will usually lead to a service crash.
          We can show targets using the show target command as shown bellow.

In this example, you can see that the exploit lists Automatic Targeting one option. Often, an exploit module will attempt to target the operating system automatically based on its version and select an exploit based on the system’s fingerprint. We can also set particular target, if you know about operating system and its version.

InfoWhen the short description of a module provided by the show and search commands isn’t sufficient, then use the info command to display all the information, options, and targets available for that module as shown bellow.

Set and unset All the options for a given Metasploit module must be either set or unset, especially if they are marked as required or yes. When you enter show options, you will see information that is wrong or miss configure. Use the unset Command to set again.

We set the target IP address (RHOST) to and we set IP address (LHOST) to Now Running show options confirms that our settings have been saved or not then use unset command for remove miss configuration.

          After configure our exploit, we can check our exploit against target without exploiting using check command. We can show bellow.

Exploiting Windows XP SP2 Machine:

If you used the vulnerability scanners against your Windows XP SP2 machine. We’ll begin by finding this vulnerability on our own. As your skills as a penetration tester improve the discovery of certain open ports will trigger ideas about how you might exploit a particular service.

There is many vulnerability by default in operating systems. We know that windows xp sp2 is vulnerable for SMB. So we search ms08_067_netapi exploit and use that to access of windows xp sp2 machine as shown bellow.

We can see above options, we need to set RHOST, PAYLOAD, LHOST and TARGET. but keep in mind many Metasploit module choose automatic target select. You can also see list of target available for this module using show target command as seen before. After set all credentials we need to check options again for conformation.

In above screenshot we set RHOST which is out target IP address. Also set PAYLOAD as Windows-based shell reverse_tcp. Which is start a connection on the target machine and connect back to the attacking machine. We also set LHOST which is attacker (Our machine IP address).

Now our exploit is configured and we are ready for exploit target machine. We use exploit command for exploiting target machine.

Here we get target machine shell. We also check IP address of target machine for conformation.

Exploiting Linux Machine:-

Let’s try a different exploit on Linux machine. The steps are pretty much the same as for the preceding exploit except that we will select a different payload. We see there are many open ports and its services with version as shown bellow.

We are most interested in the above line. As above you can see many ports are open, so you can choose your exploit according to target vulnerability. We use distcc_exec. This module uses a documented security weakness to execute arbitrary commands on any system running distccd.

Now search module in msfconsole, use these module and also check options.

 Now set RHOST, PAYLOAD, and LHOST and check options again for conformation. 

After conforms all options we need to exploit the target machine using exploit command. After exploiting target you can see the session 1 open that means the attacker machine is connected with target machine using port 4444. And also check iip address using ifconfig command, as shown bellow.

Brute Forcing Ports:-
We can see in many scenarios the reverse port always being open. But what if we are attacking an organization with very strict egress port filtering? Most companies block outbound connections except those from a few defined ports, and it can be difficult to determine which ports can make outbound connections. We can guess that port 443 won’t be inspected and will allow a TCP connection out, and that FTP, Telnet, SSH, and HTTP may be allowed.

          But why guess when Metasploit has a very specific payload for use in finding open ports. Metasploit’s payload will try every available port until it finds an open one. Let’s use this payload and have it try all ports connecting outbound until we get one that is successful. So let’s start.

First we need to choose exploit for hack target. We just use ms08_067_netapi, now set RHOST, LHOST and TARGET. And set PAYLOAD to windows/meterpreter/reverse_tcp_allports.  It will try every available port until it finds an open one.

Now you are ready for exploiting target that has port filtering facilities. So let’s exploit it using exploit command.

Here you can see we are successfully exploit target using reverse_tcp_allports payload. We can also see ip address of target machine. Notice that we do not set an LPORT instead. We use allports because we are going to try to connect out of the network on each port until we find an open one.
          If you will see that our attacker machine is bound to: 1 (all ports) and that it finds a port outbound on port 1137 on the target network.

Resource Files:
Resource files are script files that automate commands within msfconsole. They contain a list of commands that are executed from msfconsole and run sequentially. Resource files can greatly reduce testing and development times, allowing you to automate many repetitive tasks, including exploitation.
          Resource files can be loaded from msfconsole with the resource command, or they can be passed as a command-line argument with the -r switch.
          For example: creates a resource file that displays our ip address and then ping target machine. So first we create resource file named test.rc and check file content as shown bellow.

Now load our resource file in msfconsole using –r option as told before.

As you can see resource file makes task automated and increases penetration testing speed. You may configure different things in resource file according to your need and make your pentesting faster and batter.

Exploiting windows server 2003:
Windows 2003 Server is one of the most widely used enterprise-based operating systems of Microsoft. We will see how we can exploit a Windows 2003 Server. The updated versions of the Windows 2003 Server are patched so the dcom Vulnerability doesn't work in it. So we will try different vulnerability in this topic. We will be using the netapi32.dll vulnerability.

Let us start with searching for netapi. This will list any available exploit related to netapi in the Metasploit directory.

As we can see, above of the results, the exploit has a great rating. So we will prefer using this exploit.

Now we will set up RHOST as our target Windows 2003 Server. Also set PAYLOAD to bind_tcp and set LHOST which is attacker IP address as shown bellow.

Now our exploit and payload are ready. The next and the final step is to use the exploit command. Let us analyze the result of the execution.

We have a shell connection with our target. This gives us access to the target machine through the command line. You can see how powerful Metasploit can be for penetrating target machines. As shown above screenshot session 1 is open and attacker machine is connected to windows server 2003 with 4444 port.

Exploiting windows 7 / windows server 2008 R2:
There are very few exploits available for Windows 7 and Windows Server 2008. The SMB client infinite loop is one such vulnerability that causes a system crash. This vulnerability will not provide any session or shell connectivity, but it is worth discussing. We will deal with the DLL injection flaw in Windows 7.
The SMB client in the kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle (MITM) attackers to cause a denial of service (infinite loop and system hang) via SMBv1 or SMBv2 response packet. The packet contains an incorrect length value in a NetBIOS header or an additional length field at the end of this response packet. This incorrect header value is the main reason for the vulnerability.

Metasploit contains an auxiliary module auxiliary/dos/windows/smb/ms10_006_ negotiate_response_loop which can be used to exploit the SMB server and cause a denial of service.

Let’s use this module using use command and check options using show options command. And set SRVHOST which is attacker local IP address. Now our module is configured, and launches our module using run command.

We will use the run command to execute the auxiliary module. Once the module executes, it generates a shared folder link which has to be sent to the target. In this case, the link generated is “\\\Shared\Anything”.
We can make the link look less suspicious by crafting a web page and attaching this link to it and then sending it to the target user (using social Engineering). Once the target clicks on this link, the system will completely freeze and will lead to a complete denial of service.

Thus how exploitation works using MSF. In my previous two articles you have seen how to do information gathering and vulnerability scanning. This was the exploitation parts and my next article you will see about post exploitation and bypassing firewall rules.


Visit New Information Security Blog

No comments: