Complete Step-by-Step guide
By
Cyber_Warrior
Acknowledgement: -This is not an entirely my work. Thanks to SecurityFocus.com and their authors Mr. Pukhraj Singh and Mr. K.K. Mookhey.
Disclaimer: -This document is entirely prepared with basic premise of learning. Ht0rg and I don’t take any responsibility for any illegal activities originating because of this tutorial. Metasploit framework is open source framework and is freely available on web. This guide is meant to help you use and learn how exploits and penetration testing is done. We (ht0rg and I) don’t support any sort of illegal hacks and penetration to systems, which you are not authorized to access. Metasploit is a very powerful tool and should be used with some responsibility.
So here we begin to an exciting journey of hacking. The best part of Metasploit framework is that you get hands on pre compiled exploit codes and various payloads. Metasploit is so flexible that you can use any sort of payloads as per your attack requirements. Little bit confusing don’t worry everything will be clear as we explore the Metasploit.
sploit
(n.) Exploit. A defect in the game code (see bug) or design that can be used to gain unfair advantages. (Source: Dictionary of MMORPG Terms)
Exploit development tools and automated frameworks for exploit testing and simulation is the need of the hour. Metasploit Framework (MSF) is something, which fits the bill. Its latest release has the agility and muscle quite comparable to its high priced commercial counterparts and the lethality to code an exploit in the shortest possible timeframe, due to a very well defined interface for development. With a complete exploit environment, working exploits, effectual payloads and added handlers, this is one tool, which the penetration testers must utilize.
This article provides an insight into the basics of exploit development frameworks, with a special focus on the Metasploit Framework and how it can be exploited to save time and resources. I will describe its usage with graphical illustrations, detail the various commands available, describe features, give practical examples, and most importantly, use these skills to develop new exploits and test out new techniques. Most importantly I’ll show some example of successful hacks with various exploit modules of Metasploit.
Enter the Metasploit Framework (MSF)! According to the MSF User Crash Course guide:
"The Metasploit Framework is a complete environment for writing, testing, and using exploit code. This environment provides a solid platform for penetration testing, shell code development, and vulnerability research."
In my words, the Metasploit Framework is a singular solution to all the above-discussed problems. The framework has matured itself to quite an extent in the 2.0 release version. It's more stable, has very attractive features and a very instinctive user interface for exploit development.
The major features that give an edge to MSF over other options are:
· It is primarily written in Perl (with some parts in assembly, Python and C), which means clean efficient code and rapid plug-in development.
· Pre-packaged support for extensible tools, libraries and features like debugging, encoding, logging, timeouts and random nops and SSL.
· An intelligible, intuitive, modular and extensible exploit API and environment.
· Highly optimized multi-platform, multi-featured payloads that are dynamically loadable.
· Enhanced handler and callback support, which really shortens the exploit code.
· Support for various networking options and protocols, which can be used to develop protocol dependent code.
· Supplementary exploits are included, which help us to test out exploitation techniques and sample exploits developed.
· It is Open Source Software and has a dedicated developer community for support.
· Support for advanced features and third party tools like InlineEgg, Impurity, UploadExec and chainable proxies.
It's clear that MSF is definitely a tool the penetration-tester must get acquaintained with. It gives the art of exploitation a whole new paradigm.
Installation
Currently, the Metasploit Framework works efficiently on Linux and Windows. There are some minor compatibility issues, but they can be uncared for. Users can download the latest release for Windows and Linux from http://www.metasploit.com/projects/Fram ... loads.html.
The installation is very trivial and intuitive, and the download packages are in extract and run state. In the case of Linux, decompress the archive (which is in the format framework-2.x.x.tar.gz), where the framework directory contains compiled binaries, which are for various utilities. While running on Linux it is advised that Term::ReadLine::Gnu (for tab completion support) and Net::SSLeay (for SSL support) modules be installed (these are found in the extras directory).
The Windows environment is based on a stripped down Cygwin environment, which is a wise solution as it provides a very handy console to the user. However, there were some problems with support of Active State Perl, hence it supports Cygwin Perl only. The installation is packaged as an executable setup, which installs the Metasploit Framework in the specified directory and adds shortcuts to it.
Now we will start with a brief introduction to the console interface and explain how to select and use an exploit module.
The installed MSF has two work environments, the msfconsole, and the msfweb interface. However, the primary (and preferred) work area for MSF is the msfconsole. It is an efficient command-line interface that has its own command set and environment system. Although the Framework was designed to run on an Unix-like system, such as Linux or BSD, it will also run on Windows through the Cygwin environment. The Windows installer, from the metasploit.com web site, includes a pre-configured and stripped down version of Cygwin.
During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 1.
Figure 1
Now the command prompt (msf>) for msfconsole is active. The console is very flexible, and if the user enters any unknown commands, it will search the PATH environment variable for any matching executable. If a matching file is found it is executed much like a standard command prompt.
Instinctively, typing the help command displays a list of commands available as shown in Figure 2.
Figure 2
The command show exploits lists out the currently available exploits. There are remote exploits for various platforms and applications like Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of MSF. This is shown in Figure 3, below.
Figure 3
As you may have noticed, the default installation of the Metasploit Framework v2.5 comes with 111 exploits and 75 payloads, which is quite an impressive stockpile.
To list out the payloads present, execute the show payloads command. The payloads are neat, efficient and very well written. These payloads accomplish a wide array of tasks, such as binding a command shell to a listening port, adding new user accounts, or uploading and executing the program of your choice. MSF even has support for dynamic payload creation, using the InlineEgg library as shown in Figure 4.
Figure 4
Specific information about an exploit can be culled with the command info exploit exploit_name which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information! This is shown in Figure 5.
Figure 5
In the same manner, information about a specific payload can be gained by the command info payload payload_name. Starting with version 2.2 of MSF, you can use info module_name, without having to specify the type, as shown in Figure 6.
Figure 6
Using An Exploit
Now we will describe the procedure to select a specific exploit and then run it. The command use exploit_name activates the exploit environment for the exploit exploit_name. If you select the Microsoft RPC DCOM MSO3-026 exploit using the name msrpc_dcom_ms03_026, you may have noticed the prompt changes from msf> to msf msrpc_dcom_ms03_026 >. This notifies that we are working in the temporary environment of that exploit. The show command can be used to view information about the current exploit. The show options command displays the various parameters, which are required to be use the exploit, as shown in Figure 7.
Figure 7
It's clear that this exploit requires two parameters, RHOST (the target's address) and RPORT (and the target's port, defaults to 135 in this case). The show targets command will list all available targets for the selected exploit module. As you can see, this module only has one target, which works on NT 4.0 SP6, plus all versions of Windows 2000, and all versions of Windows XP.
The show payloads command will list all payloads that are compatible with the selected exploit. MSF does a good job of preventing you from using the wrong payload for a given exploit.
We must set each of the options listed as 'required' before we can use this exploit. In this exploit we only have a single target option, so we set the TARGET variable to 0, with the command set TARGET 0. Many exploits will choose a reasonable default target for you. We now set the target server's IP address with the command set RHOST 192.168.0.27.
Next we need to set the required payload (shell code) for the exploit. Here we set PAYLOAD to winbind, using the command set PAYLOAD win32_bind. The payload names may change between versions of MSF, so always check the output of show payloads after an upgrade. This particular payload will cause the server to listen on a port and spawn a command shell when a connection is made. This displays the extensible flexibility of the MSF payload system. Every single exploit included in MSF allows for arbitrary payloads to be selected and used, even custom ones you develop yourself. Notice the prompt changes from msf msrpc_dcom_ms03_026 > to msf msrpc_dcom_ms03_026(win32_bind) > after selecting a payload. Now we use the show options command to check which options have been set and which are required to be set. We still need to set the value for LPORT which we can do that by the command set LPORT 4444. By default Metasploit takes the value as 4444 so you can also leave this to default. As shown in Figure 8.
Figure 8
The EXITFUNC variable is available for almost every Windows payload. This variable controls how the payload will clean up after itself once it accomplishes its task. Quite a few vulnerabilities can be exploited repeatedly, simply by using a different value for EXITFUNC. Fortunately, you rarely have to worry about this as many exploits automatically select the best value for you. Unless you know what you are doing, this value should not set. Setting the wrong value can wreak havoc on the exploited system.
Many exploits and payloads have another set of options, called advanced options. These can be displayed with the command show advanced. Advanced options can perform tasks such as modifying an exploit request to avoid an IDS signature, changing brute force settings, or specifying exact return addresses to use.
At this point, everything is ready and all variables have been set. We make a final check on the exploit with the show options command and verify that we are good to go.
Everything seems perfect. It's show time!
The exploit command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.
The check command can be used to whether or not the target system is vulnerable to attack. The check feature is not available with every exploit, but can be useful when you are trying to determine if a system is patched before trying to exploit it.
Now if everything goes fine you will have a shell access to the victim machine. My personal experience is to use the win32_reverse payload rather than using win32_bind as it increases the success rate of receiving the shell.
Now an important part of this tutorial to actually make you believe that how powerful is Metasploit framework in right hands and I’ll show you some of my successful hacks using Metasploit’s various exploit modules. The first one is my pen testing and compromise of a vulnerable Oracle9i database server. And the attack is illustrated below in Figure 9.
Figure 9
Another of one such test was using Microsoft Wins vulnerability affecting Windows platform except Win98. In which a vulnerable exchange server has been compromised with very ease and no hassles at all. The attack is illustrated in Figure 10.
Figure 10
The basic premise of this tutorial is to make you aware about few very powerful penetration-testing tools available on web free of cost. Metasploit in conjunction with NMAP, Nessus and other security tools can easily make an integral part of a Penetration Testers toolbox. And the fact is that it is indeed one.
Cyber_Warrior[/img][/url]
