Hacking With Metasploit-Step by Step guide

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Hacking With Metasploit-Step by Step guide

Post by cyber_warrior2 » Tue Dec 20, 2005 3:19 pm

Hacking with Metasploit Framework
Complete Step-by-Step guide
By
Cyber_Warrior


Acknowledgement: -This is not an entirely my work. Thanks to SecurityFocus.com and their authors Mr. Pukhraj Singh and Mr. K.K. Mookhey.

Disclaimer: -This document is entirely prepared with basic premise of learning. Ht0rg and I don’t take any responsibility for any illegal activities originating because of this tutorial. Metasploit framework is open source framework and is freely available on web. This guide is meant to help you use and learn how exploits and penetration testing is done. We (ht0rg and I) don’t support any sort of illegal hacks and penetration to systems, which you are not authorized to access. Metasploit is a very powerful tool and should be used with some responsibility.

So here we begin to an exciting journey of hacking. The best part of Metasploit framework is that you get hands on pre compiled exploit codes and various payloads. Metasploit is so flexible that you can use any sort of payloads as per your attack requirements. Little bit confusing don’t worry everything will be clear as we explore the Metasploit.

sploit
(n.) Exploit. A defect in the game code (see bug) or design that can be used to gain unfair advantages. (Source: Dictionary of MMORPG Terms)

Exploit development tools and automated frameworks for exploit testing and simulation is the need of the hour. Metasploit Framework (MSF) is something, which fits the bill. Its latest release has the agility and muscle quite comparable to its high priced commercial counterparts and the lethality to code an exploit in the shortest possible timeframe, due to a very well defined interface for development. With a complete exploit environment, working exploits, effectual payloads and added handlers, this is one tool, which the penetration testers must utilize.
This article provides an insight into the basics of exploit development frameworks, with a special focus on the Metasploit Framework and how it can be exploited to save time and resources. I will describe its usage with graphical illustrations, detail the various commands available, describe features, give practical examples, and most importantly, use these skills to develop new exploits and test out new techniques. Most importantly I’ll show some example of successful hacks with various exploit modules of Metasploit.
Enter the Metasploit Framework (MSF)! According to the MSF User Crash Course guide:
"The Metasploit Framework is a complete environment for writing, testing, and using exploit code. This environment provides a solid platform for penetration testing, shell code development, and vulnerability research."

In my words, the Metasploit Framework is a singular solution to all the above-discussed problems. The framework has matured itself to quite an extent in the 2.0 release version. It's more stable, has very attractive features and a very instinctive user interface for exploit development.

The major features that give an edge to MSF over other options are:
· It is primarily written in Perl (with some parts in assembly, Python and C), which means clean efficient code and rapid plug-in development.
· Pre-packaged support for extensible tools, libraries and features like debugging, encoding, logging, timeouts and random nops and SSL.
· An intelligible, intuitive, modular and extensible exploit API and environment.
· Highly optimized multi-platform, multi-featured payloads that are dynamically loadable.
· Enhanced handler and callback support, which really shortens the exploit code.
· Support for various networking options and protocols, which can be used to develop protocol dependent code.
· Supplementary exploits are included, which help us to test out exploitation techniques and sample exploits developed.
· It is Open Source Software and has a dedicated developer community for support.
· Support for advanced features and third party tools like InlineEgg, Impurity, UploadExec and chainable proxies.
It's clear that MSF is definitely a tool the penetration-tester must get acquaintained with. It gives the art of exploitation a whole new paradigm.
Installation
Currently, the Metasploit Framework works efficiently on Linux and Windows. There are some minor compatibility issues, but they can be uncared for. Users can download the latest release for Windows and Linux from http://www.metasploit.com/projects/Fram ... loads.html.
The installation is very trivial and intuitive, and the download packages are in extract and run state. In the case of Linux, decompress the archive (which is in the format framework-2.x.x.tar.gz), where the framework directory contains compiled binaries, which are for various utilities. While running on Linux it is advised that Term::ReadLine::Gnu (for tab completion support) and Net::SSLeay (for SSL support) modules be installed (these are found in the extras directory).
The Windows environment is based on a stripped down Cygwin environment, which is a wise solution as it provides a very handy console to the user. However, there were some problems with support of Active State Perl, hence it supports Cygwin Perl only. The installation is packaged as an executable setup, which installs the Metasploit Framework in the specified directory and adds shortcuts to it.

Now we will start with a brief introduction to the console interface and explain how to select and use an exploit module.
The installed MSF has two work environments, the msfconsole, and the msfweb interface. However, the primary (and preferred) work area for MSF is the msfconsole. It is an efficient command-line interface that has its own command set and environment system. Although the Framework was designed to run on an Unix-like system, such as Linux or BSD, it will also run on Windows through the Cygwin environment. The Windows installer, from the metasploit.com web site, includes a pre-configured and stripped down version of Cygwin.
During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 1.

Image

Figure 1

Now the command prompt (msf>) for msfconsole is active. The console is very flexible, and if the user enters any unknown commands, it will search the PATH environment variable for any matching executable. If a matching file is found it is executed much like a standard command prompt.
Instinctively, typing the help command displays a list of commands available as shown in Figure 2.

Image
Figure 2
The command show exploits lists out the currently available exploits. There are remote exploits for various platforms and applications like Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of MSF. This is shown in Figure 3, below.

Image
Figure 3
As you may have noticed, the default installation of the Metasploit Framework v2.5 comes with 111 exploits and 75 payloads, which is quite an impressive stockpile.
To list out the payloads present, execute the show payloads command. The payloads are neat, efficient and very well written. These payloads accomplish a wide array of tasks, such as binding a command shell to a listening port, adding new user accounts, or uploading and executing the program of your choice. MSF even has support for dynamic payload creation, using the InlineEgg library as shown in Figure 4.

Image
Figure 4
Specific information about an exploit can be culled with the command info exploit exploit_name which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information! This is shown in Figure 5.

Image
Figure 5
In the same manner, information about a specific payload can be gained by the command info payload payload_name. Starting with version 2.2 of MSF, you can use info module_name, without having to specify the type, as shown in Figure 6.

Image
Figure 6
Using An Exploit
Now we will describe the procedure to select a specific exploit and then run it. The command use exploit_name activates the exploit environment for the exploit exploit_name. If you select the Microsoft RPC DCOM MSO3-026 exploit using the name msrpc_dcom_ms03_026, you may have noticed the prompt changes from msf> to msf msrpc_dcom_ms03_026 >. This notifies that we are working in the temporary environment of that exploit. The show command can be used to view information about the current exploit. The show options command displays the various parameters, which are required to be use the exploit, as shown in Figure 7.

Image
Figure 7
It's clear that this exploit requires two parameters, RHOST (the target's address) and RPORT (and the target's port, defaults to 135 in this case). The show targets command will list all available targets for the selected exploit module. As you can see, this module only has one target, which works on NT 4.0 SP6, plus all versions of Windows 2000, and all versions of Windows XP.
The show payloads command will list all payloads that are compatible with the selected exploit. MSF does a good job of preventing you from using the wrong payload for a given exploit.
We must set each of the options listed as 'required' before we can use this exploit. In this exploit we only have a single target option, so we set the TARGET variable to 0, with the command set TARGET 0. Many exploits will choose a reasonable default target for you. We now set the target server's IP address with the command set RHOST 192.168.0.27.
Next we need to set the required payload (shell code) for the exploit. Here we set PAYLOAD to winbind, using the command set PAYLOAD win32_bind. The payload names may change between versions of MSF, so always check the output of show payloads after an upgrade. This particular payload will cause the server to listen on a port and spawn a command shell when a connection is made. This displays the extensible flexibility of the MSF payload system. Every single exploit included in MSF allows for arbitrary payloads to be selected and used, even custom ones you develop yourself. Notice the prompt changes from msf msrpc_dcom_ms03_026 > to msf msrpc_dcom_ms03_026(win32_bind) > after selecting a payload. Now we use the show options command to check which options have been set and which are required to be set. We still need to set the value for LPORT which we can do that by the command set LPORT 4444. By default Metasploit takes the value as 4444 so you can also leave this to default. As shown in Figure 8.

Image
Figure 8
The EXITFUNC variable is available for almost every Windows payload. This variable controls how the payload will clean up after itself once it accomplishes its task. Quite a few vulnerabilities can be exploited repeatedly, simply by using a different value for EXITFUNC. Fortunately, you rarely have to worry about this as many exploits automatically select the best value for you. Unless you know what you are doing, this value should not set. Setting the wrong value can wreak havoc on the exploited system.
Many exploits and payloads have another set of options, called advanced options. These can be displayed with the command show advanced. Advanced options can perform tasks such as modifying an exploit request to avoid an IDS signature, changing brute force settings, or specifying exact return addresses to use.
At this point, everything is ready and all variables have been set. We make a final check on the exploit with the show options command and verify that we are good to go.

Everything seems perfect. It's show time!
The exploit command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.
The check command can be used to whether or not the target system is vulnerable to attack. The check feature is not available with every exploit, but can be useful when you are trying to determine if a system is patched before trying to exploit it.
Now if everything goes fine you will have a shell access to the victim machine. My personal experience is to use the win32_reverse payload rather than using win32_bind as it increases the success rate of receiving the shell.
Now an important part of this tutorial to actually make you believe that how powerful is Metasploit framework in right hands and I’ll show you some of my successful hacks using Metasploit’s various exploit modules. The first one is my pen testing and compromise of a vulnerable Oracle9i database server. And the attack is illustrated below in Figure 9.

Image
Figure 9
Another of one such test was using Microsoft Wins vulnerability affecting Windows platform except Win98. In which a vulnerable exchange server has been compromised with very ease and no hassles at all. The attack is illustrated in Figure 10.

Image
Figure 10
The basic premise of this tutorial is to make you aware about few very powerful penetration-testing tools available on web free of cost. Metasploit in conjunction with NMAP, Nessus and other security tools can easily make an integral part of a Penetration Testers toolbox. And the fact is that it is indeed one.

Cyber_Warrior[/img][/url]
Last edited by cyber_warrior2 on Wed Jan 18, 2006 12:47 pm, edited 1 time in total.
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

hagbard
Strike 1
Posts: 2
Joined: Thu Nov 17, 2005 11:16 am

Post by hagbard » Tue Dec 20, 2005 5:37 pm

I tested your tut. Everything works fine and is really good documented.
I hacked my Win2000 Prof Box really fast and was really impressed.
Thanks for this lesson!

Cu,

hagbard

telcontar
31337 Martial Artist
Posts: 1898
Joined: Sat Feb 21, 2004 8:38 am
Location: /etc/login.defs
Contact:

Post by telcontar » Thu Dec 22, 2005 7:46 am

It's a pity that there aren't more tutorials like this posted.

Thanks for the contribution cyber_warrior2 =)


-telcontar
Fate favours the well prepared ...

Code: Select all

(A + 3, N - 1, X)

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Thu Dec 22, 2005 8:22 am

HI, iam really happy that few of u people really find it useful and tried it. thanx hagbard and telecontar :-)
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

User avatar
mrc0de
Strike 1
Posts: 9
Joined: Fri Aug 08, 2003 10:04 pm
Location: Right Behind You...
Contact:

Post by mrc0de » Fri Jan 06, 2006 12:27 am

sup man... any hints on finding vuln hosts... i been using google ya know like intext:Apache/1.* and shit like that... great tut btw.. i never heard of metasploit till the other day and I just got it and im impressed.

I usually goto the ihackstuff johnny's page and see all sorts of ways to find vuln servers but never have the exploits now i got a shit ton of exploits and looking for servers.. funny.. i can find them on my own but any tips,personal exp would be really cool. thanks again for filling me in on metasploit its definately very cool.

Mrc0de :twisted:
I am The Devil, And I've Come To Do The Devil's Work.

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Sun Jan 08, 2006 5:33 am

sup man... any hints on finding vuln hosts... i been using google ya know like intext:Apache/1.* and crap like that... great tut btw.. i never heard of metasploit till the other day and I just got it and im impressed.

I usually goto the ihackstuff johnny's page and see all sorts of ways to find vuln servers but never have the exploits now i got a crap ton of exploits and looking for servers.. funny.. i can find them on my own but any tips,personal exp would be really cool. thanks again for filling me in on metasploit its definately very cool.

Mrc0de Twisted Evil
I would suggest you to better prepare a test LAN and then try to hack them.Nobody here will suggest you to hack in the wild. Moreover you can use VMware to create diff OS and run the sploits on them. Regarding how to attack the machines you have to find out how actually the xploit works, what service the exploit attacks, what port the service runs on and stuff like that. Study and u'll hv all the answers. :o
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

User avatar
B-Con
Challenge Winner [1x]
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Location: UC Davis
Contact:

Post by B-Con » Tue Jan 10, 2006 7:09 pm

Very nice tutorial. Love it :D
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?

tgo
ogt
Posts: 154
Joined: Thu Oct 20, 2005 9:31 pm

Post by tgo » Wed Jan 11, 2006 12:21 am

So a script kiddie tool gets released and then you release a guide so even retards can use it. Congratulations on creating more skiddies then there already is i hope you are proud.

User avatar
GhostHawk
Ex-Mod
Posts: 1447
Joined: Wed Jul 30, 2003 12:10 am
Contact:

Post by GhostHawk » Wed Jan 11, 2006 12:49 am

Congrats on a totally useless and pointless post. Seems like you might be just right for this guide. Way to go, hope you are proud.
Opinions are like ass holes, everyone has one. It is also my opinion, that I am an ass hole.

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Wed Jan 11, 2006 2:02 am

So a script kiddie tool gets released and then you release a guide so even retards can use it. Congratulations on creating more skiddies then there already is i hope you are proud.
Lol buddy can u spell "M E T A S P L O I T". Just one question tell me what is metasploit. Script kiddie tool LMAO. metasploit is a huge framework used extensively by pen testers these days. I hv just given a overview of one section of it, the important part of it is, easy and quick development of new exploit modules. Google metasploit and u'll knw what it is?. And if u want to increase your post count, and u think urself to be l33t find another forum where u can post ur useless junk.
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

User avatar
Annatar
Hacker in Training
Posts: 85
Joined: Wed Nov 12, 2003 11:40 am

Post by Annatar » Wed Jan 11, 2006 7:23 am

indeed... ive used the whoppix live distro a few times before for pentesting purposes, and the full metasploit integration was one of its best feature :o
It probably makes life a little easier for skiddies, because they have tons of exploits right there at their fingertips.

Very often if you download an exploit source code, it wont compile, because it has sh*tloads of intentional syntax errors. Anyone with some C skill should be able to correct these, but with metasploit it doesnt really matter as much what they know :?

Be that as it may, the tool is simply awesome
period
</post>

shinobi
Corporal
Posts: 124
Joined: Mon Jan 16, 2006 5:47 am
Location: Svealand(just in the middle), Sweden.
Contact:

Post by shinobi » Mon Jan 16, 2006 7:01 am

tgo wrote:So a script kiddie tool gets released and then you release a guide so even retards can use it. Congratulations on creating more skiddies then there already is i hope you are proud.
hackers come from somewhere... if a couple of 10 skiddies get to grow to proper hackers its all good...

User avatar
kka_kenny
Your Senior
Posts: 901
Joined: Sat May 15, 2004 5:42 pm

Post by kka_kenny » Tue Jan 17, 2006 8:25 pm

The guide was was very well step by step but skiddie number will not be good :oops:

Anyways one comment, rather than saying "i hacked this vulnerable...." etc. I'd prefer writing pentesting or any other terminology which is less skiddie friendly. That is just my humble opinion...
It starts with with a simpl[e] lie then you die.

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Wed Jan 18, 2006 12:54 pm

Anyways one comment, rather than saying "i hacked this vulnerable...." etc. I'd prefer writing pentesting or any other terminology which is less skiddie friendly. That is just my humble opinion...
Point taken and implemented Sir.

:wink:

Cyber_Warrior
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

shinobi
Corporal
Posts: 124
Joined: Mon Jan 16, 2006 5:47 am
Location: Svealand(just in the middle), Sweden.
Contact:

Post by shinobi » Fri Jan 20, 2006 4:37 am

somehow I might done something wrong since I wont get any connection to anything :/

And after installtion the metasploit appears but when I closed it once I cant get it up again? been looking in the startmenu and in the metasploit directory.

Sorry for being so sucky but I really would love some help.

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Fri Jan 20, 2006 9:08 am

Surely you will get help, but i need some more info from you like what exactly u hv done which exploit module you are using and wether the attacked machine is vulnerable and what OS ur running etc. You can always use the check command with is there with many exploit modules so that you can be sure wether the targetted machine is vulnerable or not.

Cyber_Warrior
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

soulboy
n00b
Posts: 1
Joined: Mon Feb 27, 2006 2:33 am

Post by soulboy » Mon Feb 27, 2006 2:41 am

Nice tutorial. Thanks

rockay
n00b
Posts: 11
Joined: Mon May 01, 2006 3:34 am

Post by rockay » Mon May 01, 2006 5:01 am

itz givin me a syntax error .. i mean wen i opened up de console i.e the msfconsole itz givin me a syntax error ...

help !!

User avatar
cyber_warrior2
Sargeant at Arms
Posts: 296
Joined: Sat Jun 12, 2004 1:48 pm
Location: India

Post by cyber_warrior2 » Thu May 04, 2006 3:17 am

I Understand that english is not ur first language. You can always use babelfish thingy on http://www.altavista.com And regarding ur problem just let us know what type of syntax err. you might wanna try reinstalling the package. A little bit of more info might help.

Cyber_Warrio
COMMON SENSE IS AN INSTINCT, ENOUGH OF IT IS A GENIUS

User avatar
Net Battle Bot
Owns you
Posts: 1816
Joined: Fri Jun 04, 2004 6:44 am
Location: Groom Lake

Post by Net Battle Bot » Thu May 04, 2006 3:52 am

cyber_warrior2 wrote:I Understand that english is not ur first language. You can always use babelfish thingy on http://www.altavista.com
Oi, that's my line... :?
Without practice one cannot prove; without proof one cannot be trusted; without trust one cannot be respected.

Post Reply